Identity and Access Provisioning Lifecycle
Organizations must adopt formal policies and procedures to address account provisioning, review, and revocation.
When new or temporary employees, contractors, partners, auditors, and other third parties require access to an organization’s systems and networks, the organization must have a formal methodology for assessing risk and assigning appropriate access rights. New accounts must be provisioned correctly and in a timely manner to ensure access is ready and available when the user needs it, but not too soon (so as to ensure that new accounts not yet in active use are not compromised by an attacker).
User and system accounts, along with their assigned privileges, should be reviewed on a regular basis to ensure that they are still appropriate. For example, an employee may no longer require the same privilege levels due to rotation of duties (see Chapter 6) or a transfer or promotion.
Finally, when access is no longer required, accounts must be promptly disabled.
1 General-purpose control types include all the following except
2 Violation reports and audit trails are examples ...