3.2 KiB
5.16 Identity management
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Identity_and_access_management | #Protection |
Control The full life cycle of identities should be managed.
Purpose To allow for the unique identification of individuals and systems accessing the organization’s information and other associated assets and to enable appropriate assignment of access rights.
Guidance The processes used in the context of identity management should ensure that:
a) for identities assigned to persons, a specific identity is only linked to a single person to be able to hold the person accountable for actions performed with this specific identity;
b) identities assigned to multiple persons (e.g. shared identities) are only permitted where they are necessary for business or operational reasons and are subject to dedicated approval and documentation;
c) identities assigned to non-human entities are subject to appropriately segregated approval and independent ongoing oversight;
d) identities are disabled or removed in a timely fashion if they are no longer required (e.g. if their associated entities are deleted or no longer used, or if the person linked to an identity has left the organization or changed the role);
e) in a specific domain, a single identity is mapped to a single entity, [i.e. mapping of multiple identities to the same entity within the same context (duplicate identities) is avoided];
f) records of all significant events concerning the use and management of user identities and of authentication information are kept.
The organization should have a supporting process in place to handle changes to information related to user identities. These processes can include re-verification of trusted documents related to a person.
When using identities provided or issued by third parties (e.g. social media credentials), the organization should ensure the third-party identities provide the required trust level and any associated risks are known and sufficiently treated. This can include controls related to the third parties (see 5.19) as well as controls related to associated authentication information (see 5.17).
Other information Providing or revoking access to information and other associated assets is usually a multi-step procedure:
a) confirming the business requirements for an identity to be established;
b) verifying the identity of an entity before allocating them a logical identity;
c) establishing an identity;
d) configuring and activating the identity. This also includes configuration and initial setup of related authentication services;
e) providing or revoking specific access rights to the identity, based on appropriate authorization or entitle ment decisions (see 5.18).