cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Masahiro
Newcomer III

What is maintenance in the process of identity management?

According to the question c03.046 of CCSP Official Practice Tests, the process of identity management includes maintenance.

 

What exactly do you think is maintenance? For example, does it include changing passwords and permissions?

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
9 Replies
JoeBuilder
Newcomer I

I think IAM maintenance would mean:

1. Removing old identities for staff who have left the company.
2. Updating permissions for staff who have changed positions.
3. Perhaps removing roles that are no longer required.









Best Regards,



Joseph Charles-Walcott

1(868) 685-7969
Masahiro
Newcomer III

Thank you, @JoeBuilder 

 

I should have given you options of the question. They are as follows.

 

  1. Provisioning
  2. Maintenance
  3. Deprovisioning
  4. Redaction

Then I have reviewed your ideas and my ones. Here are my thoughts:

 

  • "changing permissions" and your idea #2 would be a kind of provisioning.
  • Your ideas, #1 and #3, would be deprovisioning.

So I am still wondering what exactly identity maintenance activities are.

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
CraginS
Defender I

Very good question, @Masahiro 

 

As others have pointed out,maintenace would involve reconfirming currently assigned roles, removing roles no longer held by the assignee, adding new roles then approved, and adding or changing other secondary data in the database, such as answers to challenge questions used for forgotten password tasks. Depending on the ID database, it may also involve updating or confirming secondary contact information, assigned supervisor (needed to confirm current privileges and roles), etc.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Masahiro
Newcomer III

Thank you, @CraginS 

 

I have understood as follows.

 

Identities start with provisioning, continue to be maintained and end with deprovisioning. It is identity and access management lifecycle. So there are many activities in the maintenance phase.

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
Masahiro
Newcomer III

I found the definition of the maintenance in the process of identity management. ISO/IEC 24760-1:2019 defines it as follows.

 

10 Maintenance
An identity management system can perform maintenance on identity information it has registered by changing one or more of the attribute values in an identity. An identity management system shall specify mechanisms for maintaining the integrity and accuracy of attributes it stores. It shall maintain the identity information stored in the register as an accurate representation of the identity. An identity information authority shall provide the most accurate data available for an identity in a process that respects privacy.

 

You can download it from the following website for free.

https://standards.iso.org/ittf/PubliclyAvailableStandards/index.html

 

Haneda, Masahiro
Certification: CISSP, CCSP, CCSK, PMP, ITIL Foundation V3
Location: Japan
My LinkedIn Profile
luisantonio
Newcomer I

Hi,

Considering only Identity Management as part of the IAM, it includes provisioning (identity assertions) and password management. Password management covers generation, storage and security controls.

 

If we talk about permissions, that is part of RBAC, and access management. That is part of IAM, but not of the Identity Management.

 

I might be wrong. Please refer to the Official Study guide, section 7.4.

 

Hope it may help,

 

Luis.

AntiEvil
Newcomer II

In my opinion, maintenance in IAM consists of a life cycle approach - JML or Joiners, Movers, and Leavers.  Each part of the cycle includes onboarding, role change, and separation.  Each of these includes differing amounts of maintenance activities.  For example, joiners would include creation of the account, provisioning initial permissions to objects, communication to the end user, etc.  Movers would require modification in terms of add or remove permissions, revaluation of application provisioning, etc.  Leavers have maintenance of deprovisioning of all access, placing the account in a disabled state, updating reporting, etc.

 

Maintenance to me is a security operations function.

csjohnng
Community Champion

Agree, mainly is the JML process. joiner, mover and leaver.

 

Depend how you consider (some consider the below as security compliance):

  • recording and  confirming entitlement,
  • determining segregation of duty and 
  • recertification of identity, role and access

may also consider as part of maintenance.

John
ob1knb
Viewer II

The part that catches my eye in *maintenance* not mentioned - is that this is not a 1 time event 3 years ago - but implies an intentional routine check-up frequency or other effort to gain comfort an automated process control design is still working effectively (i.e., does not exclude new systems, entities, directories, attributes, credentialing secret types, changed policies requirements, etc.).