You are a member of the steering committee for the program of the business continuity management system and sitting in a meeting with the agenda of business impact analysis to determine the Maximum Tolerable Period Downtimes (MTPDs) and recovery time objectives (RTOs). All of the following should have been done prior to the meeting except what?
A. Plan for actions to address risks to the effectiveness of the management system
B. Establish the business continuity policy
C. Conduct risk assessment in terms of business activities
D. Understand the organization’s context and interested parties
5.7 Manage the identity and access provisioning lifecycle (e.g., provisioning, review)
7.4 Secure the provisioning of resources
I roughly define “provisioning” in the context of identity and access management as “the process of creating user accounts and granting privileges across systems in a streamlined or automatic way.”
Imagine that you’re preparing a user account for a new employee. How do you deal with the following situation:
HR system: a detailed employee record
PACS (physical access control system)
VDI (Virtual Desktop Infrastructure)
You may have to create a couple of user accounts and credentials (keycards, fobs, smartphone, biometric) and grant privileges across those systems mentioned above. It takes much time to do it manually. Moreover, it’s error-prone.
The employee may be promoted, rotated, fired, or resign. The privileges granted have to be updated.
That’s the situation provisioning comes in handy. It deals with the cumbersome process of creating and changing accounts and privileges through automation.
Provisioning helps streamline identity and access management processes across the account life cycle.
In telecommunication, provisioning involves the process of preparing and equipping a network to allow it to provide new services to its users. In National Security/Emergency Preparedness telecommunications services, “provisioning” equates to “initiation” and includes altering the state of an existing priority service or capability.
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The project team has finished business and privacy impact analysis. Which of the following security activity should be conducted next?
A. Assess system security
B. Create a detailed plan for certification and accreditation (C&A)
C. Assess risk to the system
D. Review operational readiness
Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. You suspect a former developer deleted some crucial files before leaving the company. Which of the following least helps to blame the malicious behavior on him?
A. Implement reliable authentication mechanism
B. Grant permissions and rights based on duties
C. Maintain a non-repudiable log
D. Correlate and review the logs in terms of a specific subject or theme
Mandatory vacation and job rotation are implemented in your company to detect and prevent corruption. As a security professional, which of the following will you suggest with priority?
A. Conduct user entitlement review periodically
B. Isolate employees from enterprise networks when an audit is undergoing on their mandatory vacation
C. Provide training and certification courses upon rotation to ensure the new job can be done effectively
D. Require immediate password change when an employee rotates to a new position
The incident response (IR) team in your company submitted an urgent human resource request for a security analyst. The job description of a security analyst requires at least five years of work experience and the CISSP certificate. Nawwar is an experienced network engineer with ten years of experience and the CISSP certificate. The head of the IR team proposed to hire Nawwar as soon as possible. As a security professional, which of the following suggestion will you make to the Human Resources department first?
A. Make a contingent offer of employment
B. Ask for drug testing
C. Hire a professional organization to do a criminal background check
D. Conduct a reference check