IAM-03: Identity Inventory

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: IAM-04: Policies and Procedures, IAM-08: Trusted Sources, IAM-10: User Access Reviews.

Control Statement

Manage, store, and review the information of system identities, and level of access.

Implementation Guidance

Organizations should maintain a database of all system identities having access to different cloud environments and assets. The database should illustrate a correlation between digital identities, assets where the access is provisioned, and the type of access being provisioned (i.e., business users, system users, privilege users, etc.). In addition, the database should be regularly reviewed to ensure access is revoked or changed based on job role changes. The identity and access management database should incorporate single sign-on and multi-factor authentication for user access. Database access should be based on need-to-know and least-privilege principles and should follow best practices (such as role-based access control and segregation of duties). Finally, all access (especially privileged access) should be logged and monitored for anomalies and unauthorized use and linked to alerting systems as appropriate.

Auditing Guidance

  1. Determine if the organization has defined acceptable storage methods and locations of system identities.
  2. Evaluate if the organization is consistently utilizing approved methods and locations to store system identities.
  3. Evaluate if access to stored identities is managed following established processes.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.