So we're moving into Section Nine, in which we're going to learn Managing the Identity and Access Provisioning Life Cycle. Now, as was mentioned earlier in this particular module, having a process of decision making that determines what a subject will be granted in the way of privileges and information access within a system, must be separate from the actual process of implementing those decisions.

So in the Access Control and Identity Management Life Cycle, we begin with management requesting or authorizing a user role-based access to the data and systems. We do the provisioning, through the determination of those and then implementing them by the two separate processes, one to decide, one to implement. Then periodically we're going to need to re-evaluate what access a given subject has, in the case of needing to change it, elevate it or diminish it. When these changes are needed, suspension might take place beforehand by a role-related new set of permissions, except if the reason is termination. That is to say, that when a person changes roles in the organization, the functional role that they have today in the system that they're using, would be suspended. Then the new role, signifying what they will require for the new function they will be fulfilling, will be created and provisioned. And then if information transfer needs to take place, it will through a controlled channel.

This kind of a policy, this kind of a practice requires thoroughly consistent enforcement to ensure that we get all of the protected value that we need from it. These all make up the Administrative Cycle and the approaches to administration generally take these three forms. We have Centralized Administration, which provide for centrally defining and implementing policy and the provisioning process, and centrally controlling the enforcement of that policy. We have De-centralized Administration. Typically deriving its authority and the requirements it must be met from a centrally defined policy, it allows it to be implemented using local provisioning, giving local resource access and enforcement, but that it is limited to the local. We also have a combination, the Hybrid Approach. Centrally defined policy with enforcement over core resources and then local resource access augmenting this and control with central oversight and support.

The Centralized Access Process means that all access requests are passed through a central office or function, which employ the central repository. In this particular model, this repository is centralized and unshared. As a design, it can enforce policy and control at the enterprise level for all enterprise-controlled resources.

Now, the considerations and advantages that go with centralized access processing, means that there is a reduction in attack surface through a more unified and consistent policy implementation. It means that we have a policy for active monitoring with more consistent and better-integrated aggregation and correlation for event analysis. We have more uniform implementation and performance of device backup for better resilience and recovery, both of which are very important considerations in any access control system. It also gives us better program level redundancy, further enhancing recoverability.

Now, the de-centralized access process is certainly a valid one for use in certain environments. As a process, all requests are processed through a central office employing a replicated repository that is shared by local nodes. As a design, it can enforce access control based on a centrally defined policy, but with limited application to the local domain only. The considerations and advantages to de-centralized access include, reduction in attack surface through a more unified and consistent policy implementation, active monitoring with more consistent and better-integrated aggregation and correlation, more uniform implementation and performance of device backup for better resilience and recoverability, and better program-level redundancy for further enhancement and recoverability. Even while it gives access to local resources provisioned at the local level.

Now, provisioning entails that determination of the organizational requirements as one step to ensure that access to the information has been reviewed and approved by management. And it applies the appropriate access rights through a second process of actual implementation. The final step in the process is typically the periodic re-evaluation and review. In this part of our process, access rights and usage must be monitored on a basis commensurate with the risk, and the reviewing of access can be in the form of automated checks, manual audits and other methods. As the final step in the process, this is establishing accountability for the subject in the system. At the point where revocation is the action to be taken following the periodic review and evaluation. The revocation takes place after the review and it's invoked when the user has aggregated unnecessary access levels or access is not commensurate with the role of the user or, of course, when the user has terminated.

So, in our Domain Five, Identity and Access Management, we've discussed how to prevent unauthorized or inappropriate access, and as you've seen, it combines logical, procedural and physical methods. We described processes and procedures for determining who or what may have altered access or system information, potentially affecting the integrity of those assets, and this, of course, reflects our discussion on the identification, authentication, authorization and accountability process. And then we discussed how to match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, highlighting the accountability of accounting, wherein we are recording the records of the access and the actions taken and auditing the action of reviewing those to establish who has done what. And that brings us to the conclusion of our discussion of Domain Five, Identity and Access Management. Please continue to join us for the next module, Domain Six. We look forward to you joining us for that. Thank you.