Step 8 - Establish the Privilege Management Life Cycle
Privilege management is the process of defining and managing the permissions associated with a subject. The Privilege Management Life Cycle supports the periodic refresh of this data so that access decisions are not based on expired, incorrect information. As you work towards automated access control for protected resources, you should incorporate the ability to dynamically determine privileges, which will allow for a more flexible and adaptive access control solution that enables the automatic provisioning of unanticipated users.
Checklist
Define Access Permissions. Examine source systems to determine and select available permission attributes that are necessary to determine access permissions.
Provision Access. Create user access accounts and assign access privileges associated with selected agency resources.
Review Periodically.* Implement mandatory control mechanisms to revalidate access levels and modify permissions at regular intervals related to the risk of the protected resource. Access privileges may require adjustment based on promotions, job changes, role changes, situational variations, etc.
De-provision Access. Removing user access permissions to resources when access is no longer required to complete job duties or when the individual leaves the organization.
*Review Periodically: Auditing and Reporting
The FICAM Architecture does not specify particular requirements for auditing and reporting capabilities; however, many of the efforts you will be performing on your agency's physical and logical access control systems present an opportunity to improve and automate your existing capabilities. For PACS, the transition to enterprise level services increases the visibility into logged access event data and increases the ability to correlate that data across individual site PACS, resulting in improved auditing and reporting capabilities. For logical access, many of the commercially available solutions that can be used to provide enterprise LACS services include native auditing and reporting tools that can be configured to meet a variety of agency requirements.