Manage Access Control Playbook

Edit this page

Step 8 - Establish the Privilege Management Life Cycle


Privilege management is the process of defining and managing the permissions associated with a subject. The authorization decision relies on the presence or absence of one or more access permissions. Similar to the Data Management Life Cycle, the Privilege Management Life Cycle supports the periodic refresh of this data so that access decisions are not based on expired, incorrect information.

As you work towards automated access control for protected resources, you should incorporate the ability to dynamically determine privileges, which will allow for a more flexible and adaptive access control solution that enables the automatic provisioning of unanticipated users.

Checklist

 Define Access Permissions. Examine source systems to determine available permission attributes and selecting those that are necessary to determine access permissions.

 Provision Access. Create user access accounts and assigning access privileges associated with selected agency resources.

 Review Periodically.* Implement mandatory control mechanisms to revalidate access levels and modifying permissions at regular intervals related to the risk of the protected resource. Access privileges may require adjustment based on promotions, job changes, role changes, situational variations, etc.

 De-provision Access. Removing user access permissions to resources when access is no longer required to complete job duties or when the individual leaves the organization.

*Review Periodically: Auditing and Reporting

The FICAM Architecture does not specify particular requirements for auditing and reporting capabilities; however, many of the efforts agencies will be performing on their physical and logical access control systems present an opportunity to improve and automate their existing capabilities. For PACS, the transition to enterprise level services increases the visibility into logged access event data and increases the ability to correlate that data across individual site PACS, resulting in improved auditing and reporting capabilities. For logical access, many of the commercially available solutions that can be used to provide enterprise LACS services include native auditing and reporting tools that can be configured to meet a variety of agency requirements.