Information Technology Reference
In-Depth Information
table 9.13 Applied iA
2
Summary: identity and priilege Management
IA
2
Topic
Description
Mechanism
Identity and privilege management
Drivers
Provide a common and consistent capability for people and
entity identification as well as a manner to specify their
privileges and enforce the restriction of using privileges.
IA
2
view
Applicable IA
2
views: People, policy, business process,
systems and applications, information/data, infrastructure
(technical, physical)
IA core principles
Applicable IA core principles:
Confidentiality-integrity-availability (CIA)
Authenticity-utility (AU)
Privacy-authorized use-nonrepudiation (PAN)
Compliance
requirements
Legislative, policy, guidelines, government directives, or
other requirements specifically calling out or implying the
use of identities and the enforcement of the use of
privileges
ELCM application
Applicable ELCM elements: Develop/acquire, implement,
test, O&M
Verification
Formal C&A; integration testing; penetration testing using
false identities and attempting to use privileges not
associated with the identification or not permitted with the
identification
Operations
Applicable IA operations cycle phases: Anticipate, defend,
monitor, respond
decision of deny request, grant request, or provisionally grant/deny request. A pro-
visional decision may request additional identification, granting a partial answer to
the request, or some other variation that is neither an explicit grant or deny.
Business drivers behind identification and authentication include protecting
corporate knowledge assets from the following:
n
n
n
n
n
Disclosure (e.g., confidentiality)
Unauthorized modification (e.g., integrity)
Destruction (e.g., availability)
Theft (e.g., possession)
Restricting use of cost-generating services like unauthorized toll calls (e.g.,
authorized use)
Protecting corporate and stakeholder interests in discretion (e.g., privacy)
n
