Authentication, authorization, least privilege, and access monitoring.
This chapter covers how organizations identify users, verify identity, grant permissions, and monitor access. ISC often tests this topic by asking whether access is appropriately limited, reviewed, and aligned with job responsibility.
Access-management questions should separate identity proof, authentication strength, authorization design, and ongoing monitoring. A control can be strong in one layer and weak in another.
| Access layer | What the control proves | Common ISC trap |
|---|---|---|
| Identification, authentication, and authorization | Whether the user is named, verified, and permitted to act. | Using the terms interchangeably. |
| Passwords, MFA, and SSO | Whether the authentication method resists compromise without adding unmanaged risk. | Assuming SSO is secure without considering MFA, session control, and provisioning. |
| Role-based access and least privilege | Whether permissions match current job responsibility. | Granting broad access for convenience and calling it efficiency. |
| Logging and access reviews | Whether access activity and entitlements are monitored over time. | Designing access controls without evidence that they keep working. |
| Step | ISC question to ask | Control implication |
|---|---|---|
| 1. Establish identity | How is the user, service account, or administrator uniquely identified? | Accountability fails when activity cannot be tied to a specific identity. |
| 2. Verify authentication strength | What proof, factor, session control, or federation mechanism confirms the identity? | Weak authentication can undermine well-designed authorization rules. |
| 3. Authorize least privilege | What access is needed for the role, and what access should be denied? | Permission design should follow job need, not convenience or legacy access. |
| 4. Provision and deprovision access | Who approves changes, and how quickly are transfers or terminations reflected? | Access risk often arises when old permissions remain after job changes. |
| 5. Monitor and review activity | What logs, exception reports, and entitlement reviews show that access remains appropriate? | The exam often distinguishes design from ongoing operating effectiveness. |
| Checkpoint | Ask before concluding | ISC control effect |
|---|---|---|
| Unique identity | Can each action be traced to a named user, service account, or administrator? | Shared or generic accounts weaken accountability and investigation. |
| Authentication strength | Are password rules, MFA, SSO, and session controls appropriate for the risk level? | Strong role design cannot compensate for weak identity verification. |
| Authorization fit | Do roles and privileges match current job duties and segregation needs? | Excessive access increases error, fraud, and confidentiality risk. |
| Lifecycle control | Are onboarding, transfer, termination, and periodic review procedures timely and documented? | Access that was once appropriate can become inappropriate after role changes. |
| Monitoring evidence | Do logs, alerts, and access-review signoffs show the control operated? | ISC questions often distinguish a designed policy from evidence of operation. |