Episode 31 — A.5.17–5.18 — Authentication information; Access rights

A.5.17 requires organizations to protect authentication information throughout its lifecycle, emphasizing creation, issuance, use, storage, and revocation. For exam purposes, distinguish between authentication factors (something you know, have, are) and the artifacts that embody them, such as passwords, tokens, private keys, and biometric templates. The control stresses proper strength, secrecy, and integrity: strong password policies, salted hashing, hardware-backed keys, secure enrollment, and secure recovery procedures that do not expose secrets. It also addresses risks like credential stuffing, phishing, SIM swap, and replay by advocating multi-factor authentication, rate limiting, secure channels, and anti-phishing mechanisms. Candidates should be able to explain how governance sets minimum assurance levels based on data classification and how exceptions require documented risk acceptance and compensating controls to preserve confidentiality and integrity expectations.

A.5.18 governs access rights, ensuring that entitlements are granted, changed, and revoked according to policy and role requirements. This control operationalizes least privilege and segregation of duties, requiring explicit approval, timely provisioning, periodic recertification, and immediate deprovisioning at termination or role change. In practice, identity governance integrates HR events with joiner–mover–leaver workflows, automates birthright access, and uses role or attribute-based models to prevent permission sprawl. Auditors will sample user accounts, service principals, and API keys to verify ownership, justification, and last-use evidence. Common pitfalls include shared accounts, unmanaged machine identities, and standing privileged access without session control. Effective programs employ privileged access management, just-in-time elevation, break-glass procedures with post-use review, and anomaly detection tied to SIEM. Candidates should link these controls to tangible artifacts: password vault configurations, WebAuthn enrollment records, RBAC catalogs, recertification attestations, and deprovisioning SLAs that demonstrate a secure, auditable end-to-end identity lifecycle. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.