2 cissp ® Official Study Guide Eighth Edition

612
Chapter 13 
■
Managing Identity and Authentication
accurately. It is also critical that the identity of the individual being enrolled be proved 
through whatever means your organization deems necessary and sufficient. Photo ID, birth 
certificate, background check, credit check, security clearance verification, FBI database 
search, and even calling references are all valid forms of verifying a person’s identity before 
enrolling them in any secured system.
Many organizations have automated provisioning systems. For example, once a person is 
hired, the HR department completes initial identification and in-processing steps and then 
forwards a request to the IT department to create an account. Users within the IT depart-
ment enter information such as the employee’s name and their assigned department via an 
application. The application then creates the account using predefined rules. Automated 
provisioning systems create accounts consistently, such as always creating usernames
the same way and treating duplicate usernames consistently. If the policy dictates that
usernames include first and last names, then the application will create a username as 
suziejones
for a user named Suzie Jones. If the organization hires a second employee 
with the same name, then the second username might be 
suziejones2
.
If the organization is using groups (or roles), the application can automatically add the 
new user account to the appropriate groups based on the user’s department or job responsi-
bilities. The groups will already have appropriate privileges assigned, so this step provisions 
the account with appropriate privileges.
As part of the hiring process, new employees should be trained on organization secu-
rity policies and procedures. Before hiring is complete, employees are typically required to 
review and sign an agreement committing to uphold the organization’s security standards. 
This often includes an acceptable use policy.
Throughout the life of a user account, ongoing maintenance is required. Organizations 
with static organizational hierarchies and low employee turnover or promotion will con-
duct significantly less account administration than an organization with a flexible or 
dynamic organizational hierarchy and high employee turnover and promotion rates. Most 
account maintenance deals with altering rights and privileges. Procedures similar to those 
used when creating new accounts should be established to govern how access is changed 
throughout the life of a user account. Unauthorized increases or decreases in an account’s 
access capabilities can cause serious security repercussions.

Download 19,3 Mb.

Do'stlaringiz bilan baham: