Identity Verification, Authorization Design, and Access Monitoring

This chapter covers how organizations identify users, verify identity, grant permissions, and monitor access. ISC often tests this topic by asking whether access is appropriately limited, reviewed, and aligned with job responsibility.

In This Chapter

• Identification vs. Authentication vs. Authorization clarifies the core access concepts that are often confused.
• Password Policies, Multi‑Factor Authentication, Single Sign‑On covers common authentication methods and design choices.
• Role‑Based Access and the Principle of Least Privilege explains how permissions should be structured and restricted.
• Monitoring Tools: Logging and Access Reviews focuses on the evidence used to confirm that access remains appropriate.

How to Use This Chapter

• Read this chapter when access-control questions blur policy, identity, and privilege concepts together.
• Focus on who should have access, how that access is proven, and how it is monitored over time.
• Return here whenever an ISC scenario involves excessive privilege, weak authentication, or poor access review.

In this section

• Identification, Authentication, Authorization, and Why They Differ
  Identification, authentication, authorization, and why the distinctions matter.
• Password Policies, Multi-Factor Authentication, and Single Sign-On
  Password policies, MFA, and SSO design choices.
• Role-Based Access Design and the Principle of Least Privilege
  Role-based access design and least-privilege control logic.
• Logging, Access Reviews, and Monitoring Evidence
  Logging, access reviews, and monitoring evidence for access controls.