Domain 5 Identity and Access Management (IAM) 13%
5.1 Control physical and logical access to assets
Chapter 13
- Information
- Systems
- Devices
- Facilities
- Applications
- Services (????)
5.2 Design identification and authentication strategy (e.g., people, devices, and services)
Chapter 13
- Groups and Roles (???)
-
Authentication, Authorization and Accounting (AAA) (e.g., multi-factor authentication (MFA), password-less authentication)
(????)
-
Session management
- Registration, proofing, and establishment of identity
- Federated Identity Management (FIM)
- Credential management systems (e.g., Password vault)
- Single sign-on (SSO)
- Just-In-Time
5.3 Federated identity with a third-party service
Chapter 13
- On-premise
- Cloud
- Hybrid
5.4 Implement and manage authorization mechanisms
Chapter 14
- Role-based access control (RBAC)
- Rule based access control
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Attribute-based access control (ABAC)
- Risk based access control
-
Access policy enforcement (e.g., policy decision point, policy enforcement point)
????
5.5 Manage the identity and access provisioning lifecycle
-
Account access review (e.g., user, system, service) Chapter 13
-
Provisioning and deprovisioning (e.g., on/off boarding and transfers) Chapter 13
-
Role definition and transition (e.g., people assigned to new roles) Chapter 13
-
Privilege escalation (e.g., use of sudo, auditing its use) Chapter 14
-
Service accounts management Chapter 14
5.6 Implement authentication systems
Chapter 14