Information Technology Reference
In-Depth Information
Identity Management
Segregation of duties
One of the core principles in risk management is aimed at preventing
corruption and fraud, by implementing proper controls. For example, a user
cannot approve the request they have themselves made. This creates the
justification for implementing two-step request/authorise functionality in
IAM.
Auditability
Any action that is deemed to be significant within a system needs to be
logged with all relevant details surrounding it, - who did it and when, what
was the purpose, who authorised it, etc. Audit logs need to be guaranteeably
produced whenever such sensitive actions are performed, and the logs need
to be secure against tampering or loss. Audit functions are a big part of an
IAM system.
The Open Web Application Security Project (OWASP) lists a few more
principles
that
you
may
want
to
cover
off
as
well:
https://www.owasp.org/index.php/Category:Principle
