Hi Craig

Thanks for your answer.
Yes, I am referring to Identity & Access Management

In CISSP, we can find the following chapter:
- Control physical and logical access to assets
- Manage identification and authentication of people, devices, and services
- Federated identity with a third-party service
- Implement and manage authorization mechanisms
- Manage the identity and access provisioning lifecycle
- Implement authentication systems

I've also found these informations:

Identity and Access Management (IAM) is the set of business processes, information and technology for managing and using digital identities. IAM includes the people, processes, and technology required to provide secure and auditable access to systems and applications. The operational improvements and benefits delivered by IAM will help advance each of these core business drivers:

- Business Improvement
- Risk Mitigation
- Core IAM service areas for CISSP: Identity Administration, Access Certification, RBAC, Access Management , Password Management , Privileged User Management , Identity and Access Management Governance
- IAM Organizational Functions
- Provisioning

Do you see other points that belong in an IAM concept?

Thanks in advance
Regards
Michel

---

@MichelC wrote:
...
Do you see other points that belong in an IAM concept?
..

---

Michael,

There are subtleties in your syntax that make me think English is not your first language. I say this because IAM is not really a concept, rather it is simply a category or grouping of related concerns in managing access control. That said, good job that you are studying and actively thinking about the field. You will find a more common acronym for the area is IDAM , IDntity and Access Management, to distinguish from other meanings of IAM. Related, in any conversation it is wise to explain every acronym in full on first use.

 

Now, are you simply looking for more sub topics to make sure you study sufficiently? or are oy interested in diving into the topic more deeply for your own career?

As for a high view of IDAM, think about how do you know who an entity (human, computer, or company) is, and how can you verify tha identity? How do you decide who cn access what information? How can you protect the access and be sure only the right entities get to teh information?

ALl tha tleads to a variety of topics, including encryption, Public Keys, multi-factor identification, access control lists, and more.

 

Keep diving in and asking more refined questions as they occur to you.

 

Craig

 

 

Hi Craig

Thanks for your answer and sorry for my poor english.

I am in the process of developing an IdAM/IAM concept for the company I work for and I thought I could find here the main sub-topics I need to address.

Regards

Michel

---

@MichelC wrote:

Hi Craig

Thanks for your answer and sorry for my poor english.

I am in the process of developing an IdAM/IAM concept for the company I work for and I thought I could find here the main sub-topics I need to address.

Regards

Michel

---

MIchael,

Please, never apologize for your use of  second language; you owe no one an apology for being more capable than they are. I, like so many Americans, get by with only English, because we can. I envy those who grew up in cultures where a learning started in the formative years and are now multi-lingual.

  As for your task at work, we now have a better idea of your challenge. Reading your original post, I thought you were studying for an exam. Now our community can suggest some questions to ask and suggest ares of concern. I'll start.

 

Suggestion: have your physical security specialists work hand in hand with your information system teams to address physical spaces needing access control in addition to information systems needing access control. Think in terms of an integrated process for identifying and verifying humans for facility access and system access. Depending on the scope, you may or may not find it reasonable cost for a single ID system technology, but in any event you will need an integrated record system for the people on the list.

Have you listed the categories of entities that need to have verified identities? Remember to include corporations and computer systems, not just humans?

Have you classified your information types and collections so you can adequately control access without over-taxing systems and people?

 

There is more to consider, but I suggest you begin your list and look for more input here.

 

Good luck!

 

Craig