Identity Management focuses on the application of security controls to the use of personal identity accounts.

The primary controls for Identity Management have the objective of providing access to applications and information that are within an organisational infrastructure and contain classified information and data.

Authorisation to access material that is at a 'Confidential' level should be based on the execution of appropriate security controls (e.g. two-factor authentication) that provide strong assurance of identity. Stronger classifications of information and data require additional authorisation, logging and access control measures.

Identity Management is conducted according to an appropriate risk assessment. The risk assessment process is used to determine the need for Identity Management controls that appropriately protect information, applications and infrastructure. These controls set the life-cycle security objectives for:

1. creating and maintaining an identity (including terminating)
2. verifying and authenticating an identity,
3. granting and maintaining permissions and authorities
4. monitoring and accountability, and
5. auditing and appraisal of the Identity Management processes. 

Identity Management implementation is a construction of business control processes. Identity Management security requirements set objectives for the security controls and defines the control processes. The objectives and controls are based upon performing a risk assessment.

The fundamentals of Identity Management define the control objectives for:

Identification (the process that creates an entity and verifies the credentials of the individual which together form a unique identity for authentication and authorisation purposes)

Authentication (the process that verifies credentials to support an interaction, transaction, message or transmission)

Authorisation (the process that grants permissions by verifying the authenticity of an individual’s identity and permissions to access specific categories of information or to carry out defined tasks)

Accountability (the process that records the linkage between an action and the identity of the individual or role who has invoked the action, thus providing an evidence trail for audit or non-repudiation purposes)

Audit (the process that examines data records, actions taken, changes made and identities/roles invoking actions that together provide a reconstruction of events for evidential purposes)

All the preceding control objectives serve the requirement to provide an auditable chain of evidence.

Components

An Identity Management solution has several key components:

Enterprise information architecture

Permission and policy management

Enterprise directory services (e.g. Active Directory)

User authentication

User provisioning and Workflow (enrolment processes)

Security objectives

Identity Management security provides a secure identity infrastructure and manages identity information throughout its life cycle and across infrastructure and applications.

Identity Management security standardises and simplifies the interoperability of systems that require identity information from a multitude of systems and organizations and manages user IDs, passwords, PINs and security tokens and their use with business applications.

 Identity Management security applies to all phases of the life cycle of any identity in an organisational directory or application, from initial enrolment (or registration), through maintenance of changes during operational life, to eventual removal and destruction of identity information and associated rights, permissions and authorities. This applies to individual users and to the use of functional and service accounts.

This identifies the necessary level of Identity Management protection and assurance that are required to protect against unauthorised access to information, applications and infrastructure and to establish a baseline of risk management for Identity Management

Baseline

A formal risk assessment should be to establish information classification levels and Identity Management assurance level requirements

Identity Management Risk Assessment

In addition to identifying and addressing the business, legal and technical risks, this assessment needs to determine the level of Identity Management security that is appropriate to protect business information, applications and infrastructure. The risk assessment will identify the correct security controls required to maintain confidentiality, integrity, availability and segregation of duties within individual business processes.

Identity Management should ensure that individuals seeking registration to a directory for access to applications and infrastructure and provide reliable and binding evidence of identity before enrolment.

Baseline

• Establish a baseline for creating and maintaining a Group identity
• Ensure that a naming convention for identities is defined for each Identity Management system and
• Access to information systems is restricted through the use of a unique username / password combination.

An independent identity verification process should be implemented for access to applications and infrastructure.  Individual identities listed in company directories should be consistently presented at all levels of identity assurance. A process should exist within systems, or applications, for generating and maintaining a consistent account naming convention.

Security Control

• All identification and enrolment processes developed should be controlled
• Strong and binding linkages between the identity, enrolment and assertion of credentials is demonstrable
• All identities should conform to a predefined naming convention and a
• Combination of unique username / password should be used to access information systems.

This ensures that at it can be confirmed that a series of strong, auditable and continual linkages exist between the verification of identity of the person, the enrolment process, the entry of the person’s details into company directories and the subsequent assertion of the person’s credentials (authorisations, permissions) to company applications and infrastructure. These controls satisfy a number of compliance requirements.

Independent identity verification is defined by the joining and leaving processes. For independent third parties (e.g. Joint Ventures, Outsourced service providers), it is defined by the business contract/relationship.

Account naming definitions are required to exist to ensure that consistency between each identity is maintained. This definition should be applicable to all accounts. 

Identity Assurance Levels set standard levels of assurance for  identity and enable individuals to assert electronic identities consistently

Baseline

 Based on the risk assessment, the minimum level of identity assurance should be defined and documented for each application and for each infrastructure component

Security Control

The assurance levels described below have been derived from NIST recommendations.

The recommended identity assurance levels are:

Level 0, None/Anonymous Level Identity Assurance. Provides minimal assurance of asserted electronic identity. Suitable only for transactions where an error may lead to minimal inconvenience, no financial loss, no distress or damage to reputation, no risk of civil or criminal proceedings, no release of sensitive data to unauthorised parties, no risk to personal safety

Level 1, Low Level Identity Assurance. Provides on the balance of probabilities that there is some confidence in the asserted electronic identity. Suitable only for transactions where an error in authentication of identity might lead to minor inconvenience or financial loss, minor distress or damage to reputation, minor risk of release of personal or commercially sensitive data to unauthorised parties, no risk to personal safety

Level 2, Substantial Level Identity Assurance. Provides high confidence in the asserted electronic identity. Suitable for transactions where an error in authentication of identity might cause significant inconvenience, significant financial loss or damage to reputation, significant harm to public interest, risk of civil or criminal violations and be subject to enforcement (including compliance to regulatory, privacy and data protection requirements), significant release of commercially sensitive or personally sensitive material, no risk to personal safety

Level 3, High Level Identity Assurance. Provides very high confidence in the asserted electronic identity. Suitable for transactions where an error in authentication of identity might result in considerable inconvenience or financial loss, considerable damage to reputation, considerable distress or harm to public interest, material risk of civil or criminal violations, damaging release of commercially or personally sensitive material, risk to personal safety.

Identity assertions should be consistent and maintained. This includes instances where identities are used between multiple applications in an integrated environment such as across a chain of linked applications. These identity assertions should be subject to an audit trail.

Verifying and Authenticating an Identity enables an individual and application to verify and authenticate a claimed identity

Baseline

A verification and authentication method for an identity should be selected based on the outcome of the risk assessment process

Security Control

Authentication is a process to verify claimed identity.  This is also defined as a security control that establishes the validity of an originator’s credentials, message or transmission. The verification and authentication method chosen for an identity should be selected for each class of service (application, infrastructure, etc.) and should be based on the outcome of the risk assessment process.

Authentication is generally performed by an individual claiming a USER NAME and corroborating the claim with some form of credentials or evidence that can be verified by the authenticator. This usually takes the form of one of the below:

Something the user of a USER NAME is, a biometric characteristic that can be verified by comparing the characteristic with one created during the identity enrolment process

Something the user of a USER NAME has in their possession, usually a token issued during enrolment

Something the user of a USER NAME knows, a shared secret between the claimant and the verifying authority such as a password

The strength of the authentication method is related to the business requirement that is identified in the Identity Management risk assessment. 

This ensures that individuals accessing infrastructure and business applications have been appropriately identified, authenticated and authorised before access permissions are granted or changed  and guarantees that the method and strength of authorisation is appropriate for the assurance levels identified in the Identity Management risk assessment

Baseline

The baseline authentication and authorisation controls should be defined and documented by the risk assessment process. Emergency access to information systems should be authorised by management and supported by the logging of all activities performed using the 'emergency access accounts'.

Security Control

The controls for the authorisation process should identify:

1. Business activity requirements and associated necessary permissions and authorities
2. Scope of permissions granted
3. Scope of authority
4. Limitations

These controls are derived from the risk assessment to ensure that granting of authorisation to use company information, data and applications is properly controlled and that individual users are accountable.

Businesses should document procedures used for User Access Management. These procedures should include the following:

• The identification of authorised signatories indicating business need, for example business process owners, line managers.
• Ensure that user access remains appropriate through on-going monitoring.
• Consider number of scenarios (starters, leavers, movers, long term illness, maternity/paternity leave, temporary / contract staff, third parties etc)

The procedure should be defined at a lower level for the modification of users' access privileges to specific information systems in the event of a change in role, reponsibilities or on leaving the organisation.

Where technology allows, access to IT infrastructure components and applications should be based on role base definitions.

This ensures that an individual account that is used to access Group infrastructure and applications that need to be suspended or reinstated is subject to the necessary business controls.

Baseline

An account suspension process including a documented authorisation of request, accountability, audit logging and reporting should be implemented

An account reinstatement process including a documented authorisation of request, accountability, audit logging and reporting should be implemented

Security Control

The controls developed to manage and operate account suspension and reinstatement should include actions that notify and seek authorisation and approval from business application owners and/or line managers.

Suspending and reinstating registered accounts are mandatory processes for infrastructure and business applications that control access to application systems, networks and services. They are part of the Identity Management life cycle. These actions may be required for operational, business or technical reasons (e.g. to temporarily remove access to an application system for maintenance purposes, to manage organisational and role changes, etc.). 

This ensures that there is a business control to de-register or delete an individual account that is used to access infrastructure and business applications

Baseline

A de-registration and deletion process including a documented authorisation of request, accountability, audit logging and reporting should be implemented

Security Control

A documented and managed de-registration and deletion of account process is required for all infrastructure and business applications. This is necessary to ensure that Identity Management controls are properly executed and that registration information is correctly removed from every system at the end of its life cycle. Redundant accounts and the associated permissions information should be deleted regularly. This will ensure that the risks of unauthorised access to infrastructure and business applications are minimised.

This ensures that an individual accessing infrastructure or business applications is appropriately identified and makes certain that any actions taken by the identified individual are monitored, recorded and stored in line with the requirements identified in the Identity Management risk assessment

Baseline

Log and store records of access to Group infrastructure and business applications by identified individuals where indicated by risk assessment

Log and store actions of identified individuals within Group infrastructure and business applications where indicated by risk assessment

Monitoring for compliance against legal/regulatory/policy requirements is required

Report non-compliance events to business line management

Provide logging information as required by due legal process

Security Control

The creation and maintainance of a chain of evidence linking the user to the activities the user performs. The extent to which this needs to be carried out will be identified in the Identity Management risk assessment.

User accounts should be reviewed quarterly by the process owners or relevant business managers and documented. Exceptions identified during the review should be formally tracked and resolved in a timely manner using Problem Management processes.

After a user has been identified, authenticated and authorised, it is essential to establish consistent levels of accountability. The level of accountability provides the evidential chain between individuals and what they have acccess to and can act upon. At the lowest level of identity assurance, there is no accountability required to access and view information. At a higher level, there is business need to control not only what is viewed but also what is modified or presented with a business commitment. Adherence to business policy and legal requirements is paramount and is demonstrated by the chain of evidence available. In addition, accountability will monitor and provide evidence of unauthorised or inapropriate use of services or resources. This provides a record for both the individual and the business in the event of an incident.

This ensures compliance with established company policy, company procedures and applicable legislation.

Baseline

A business audit to establish compliance with company policy, company procedures and applicable legislation should be conducted as part of the defined programme of audit activities

A compliance audit to make an appraisal of Identity Management performance should be conducted as part of the defined programme of audit activities

Security Control

An audit is an independent review and examination of system records and operations in order to test for adequacy of system controls. Additionally, it ensures compliance with established policy and operational procedures, detects breaches in security and recommends any indicated changes in control, policy and procedures, auditing provides assurance to business managers and the board of directors that controls are effective and operating as planned.