Domain 5 of 8 · Chapter 5 of 6

Identity Provisioning Lifecycle

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The lifecycle: provision, adjust, deprovision
  • Operating the lifecycle: reviews, privilege, and service accounts
  • Exam-pattern recognition

Joiner-Mover-Leaver: trigger, action, and primary risk

AspectJoiner (provision)Mover (transfer)Leaver (deprovision)
TriggerNew hire / new account needRole, team, or location changeTermination or resignation
Core actionGrant least-privilege access for the roleRe-baseline: remove old, add only new-role accessDisable then remove all access; revoke credentials
Primary risk if mishandledOver-provisioning beyond least privilegePrivilege creep from accumulated old grantsOrphaned active credential / insider misuse
Governing controlAC-2 account management; AC-6 least privilegePS-5 personnel transferPS-4 personnel termination
Timing pressureBefore first day (avoid idle over-grant)At the moment of transferImmediately -- highest urgency, esp. for cause

Cheat sheet

  • Match an account's privileges to its holder's current role across the whole joiner-mover-leaver lifecycle
  • Provision joiners at least privilege, not pre-loaded with access they might need later
  • On transfer, re-baseline access to the new role instead of adding to the old set
  • Deprovision on termination immediately: the leaver step is the most time-sensitive in the lifecycle
  • Disable access first, then delete the account on a later schedule
  • A periodic access review recertifies that every account still needs every privilege it holds
  • The resource or data owner recertifies access, not IT operations or security
  • Privilege creep is fixed by the mover control and access reviews, not by stronger authentication
  • Control privileged access with PAM: just-in-time elevation, vaulted credentials, recorded sessions
  • Auditing sudo turns shared root power into individual accountability
  • A break-glass account is for genuine emergencies only, and every use must alert and be reviewed
  • Service accounts need a named human owner, least privilege, and the same periodic review as users
  • Prefer eliminating a service account's static secret over storing one; if unavoidable, vault and rotate it
  • Personnel security decides whether to trust a person; the provisioning lifecycle is the machinery that grants the access
  • Role definition belongs to the business; review roles so the role itself doesn't become over-broad
  • SCIM provisions and deprovisions; SAML JIT can only create/update, never deactivate
  • Birthright access is auto-granted by role; HR-driven joiners are pre-staged disabled until start date
  • Scale JIT provisioning by mapping policies from CMDB asset metadata, not manual entry
  • Access reviews must be owner-driven, risk-prioritized, and guard against rubber-stamping

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-53 Rev. 5: Security and Privacy Controls (AC-2 Account Management, AC-5 Separation of Duties, AC-6 Least Privilege, PS-4 Personnel Termination, PS-5 Personnel Transfer) Whitepaper
  2. NIST Glossary: Least Privilege (AC-6) Whitepaper
  3. NIST Glossary: Separation of Duty (AC-5) Whitepaper