CISSP Domain 5 Refresh: Identity and Access Management

The Certified Information Systems Security Professional, or CISSP, certification is the ideal certification for infosec professionals. As per the survey depicted in the below screenshot, it has been found that the CISSP is a core requirement for many mid- and senior-level cybersecurity positions. Earning this gold standard certification requires demonstrating sufficient work experience and passing an exam covering the eight domains of information security.

This article covers the fifth of those eight domains, Identity and Access Management. A total of 13% of the questions in the CISSP exam comes from this domain.

Identity and access management is the practice of ensuring that computer systems have a clear picture of the identity of each individual or resource authorized to access the system, and that the system can control access in a way that prevents unauthorized individuals from accessing resources while permitting authorized individuals to perform legitimate actions.

The access control process consists of three steps:

  • Identification
  • Authentication
  • Authorization


Physical World: Physical access control deals with issues of identity and restricts admission to certain individuals. This covers cases where an individual makes a claim about his or her identity but doesn’t present any proof. Imagine a situation where you want to enter a secure office building where you have an appointment, but during the identification step of the process you just walk up to the security desk and say “Hi, I’m Sam.”

Computer World: When we go to login to a system we identify ourselves using a username, one most likely composed of some combination of the letters from our names.


Physical World: During the authentication step proof comes into play as the individual proves his or her identity to the satisfaction of the access-control system. Consider the same case when entering the secure building: the guard would likely (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Sumit Bhattacharya. Read the original post at: