Understand account and privilege management

- [Instructor] One of the fundamental responsibilities of information security professionals is performing account management tasks. This includes designing strong processes that implement the principles of least privilege and separation of duties, implementing job rotation schemes, and managing the account life cycle. The principle of least privilege states that an individual should only have the minimum set of privileges necessary to complete their assigned job duties. The separation of duties principle states that performing sensitive actions should require the collaboration of two individuals.

Account managers issuing permissions should ensure that the permissions they grant users are consistent with these principles. For more information on these two principles, see the Authorization video of this course. Many organizations also implement job rotation schemes designed to move people around from job to job on a periodic basis. This has obvious personnel benefits by providing teams with a diverse set of experiences and allowing them to experience many different aspects of the organization's operations.

It also has the security benefit of reducing the likelihood of fraud. If you know that someone else will be looking at your work during a job rotation, you are less likely to conduct illegitimate activity that might be detected during that rotation. Mandatory vacation policies attempt to achieve the same goal by requiring that staff in key positions take a minimum number of consecutive vacation days each year, and not have access to corporate systems during that time period. This enforced absence provides an opportunity for fraudulent activity to come to light when the employee does not have the access necessary to cover it up.

Security professionals are also responsible for managing the account and credential life cycle. They administer the process of granting new users access to systems, modifying roles when a user changes jobs, or a user's job requires new access, reviewing access on a regular basis, and modifying discrepancies found, and eventually removing the access of terminated users, completing the life cycle. The management of user accounts is a key responsibility for information security professionals.