Episode 30 — A.5.15–5.16 — Access control; Identity management

A.5.15 requires that access to information and other associated assets be limited to authorized users, processes, or devices, in accordance with business and security requirements. For the exam, focus on the principle of least privilege, segregation of duties, and policy-driven access criteria mapped to classification and risk. A.5.16 complements this with identity management, encompassing the full lifecycle of identities—human, service, and machine—including provisioning, authentication, authorization, and deprovisioning. Together, these controls establish a coherent access model where entitlements are explicit, reviewed, and monitored, and where authentication strength aligns to sensitivity and threat.

In practice, modern programs anchor on centralized identity providers, strong authentication (MFA by default), role- and attribute-based access models, and periodic access recertifications tied to HR events and SoD conflicts. Just-in-time elevation, privileged access workstations, and session recording protect high-risk operations. Automation reconciles joiner-mover-leaver workflows across SaaS and cloud, while continuous monitoring detects anomalous access patterns. Common gaps include orphaned accounts, static standing privileges, and unmanaged service identities. Effective teams measure MFA coverage, time-to-revoke on termination, percentage of least-privilege roles versus bespoke grants, and age of unused credentials. Candidates should connect controls to evidence like access policies, IdP logs, PAM audit trails, and review attestations, and be able to explain how identity-centric security supports zero trust, reduces breach blast radius, and simplifies audits by replacing ad hoc exceptions with consistent, testable rules. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.