6.2 Core Workflows and Decision Points

The IAAA Access-Control Sequence

Every access decision the exam tests follows IAAA, in order:

1. Identification — the subject asserts a unique identity (username, user ID, badge number). Identity claims must be unique so actions trace to one person.
2. Authentication — the subject proves the claim using one or more factors: something you know (password, PIN), something you have (token, smart card, phone), or something you are (biometric fingerprint, iris, face).
3. Authorization — the system grants the authenticated subject only the rights their role and policy permit.
4. Accountability — actions are logged and attributable to the unique identity, supporting non-repudiation and investigation.

Multi-factor authentication (MFA) requires two or more factors from different categories. Two passwords are not MFA; a password plus a one-time code from a hardware token is. Single sign-on (SSO) lets a user authenticate once to reach many systems — convenient and it reduces password fatigue, but it concentrates risk, so the SSO credential becomes a high-value target requiring strong MFA.

Authentication strength order

For biometrics, the crossover error rate (CER/EER) — the point where FAR equals FRR — is the standard measure of accuracy; a lower CER means a more accurate system.

Access-Control Models and the IAM Lifecycle

CISA tests four authorization models by who decides access:

• Mandatory Access Control (MAC) — the system enforces access from security labels/classifications (e.g., Secret, Confidential); owners cannot override. Strongest, used in military and high-regulation settings; supports strict need-to-know.
• Discretionary Access Control (DAC) — the resource owner grants access at their discretion. Flexible but error-prone; access can sprawl.
• Role-Based Access Control (RBAC) — permissions attach to roles/job functions, and users inherit them through role membership. Scales well and eases segregation of duties.
• Attribute-Based Access Control (ABAC) — decisions use attributes (department, location, time, device) for fine-grained, dynamic policy.

Two principles govern every model: least privilege (grant the minimum access needed to do the job) and need-to-know (limit access to the specific data the task requires). Together they shrink the attack surface and limit insider damage.

The identity and access management (IAM) lifecycle

Most access findings arise from a broken lifecycle. The auditor traces each stage:

The highest-risk failure is delayed deprovisioning: a terminated employee retaining access for days creates a window to steal or damage assets. Access should be revoked immediately on termination, ideally automatically via HR-driven feeds. Privileged accounts (administrators, root) demand extra control — separate logging, privileged access management (PAM), and just-in-time elevation — because their actions can disable other controls.

Segregation of Duties and Federated Identity

Access design is incomplete without segregation of duties (SoD) — splitting a sensitive process so no single person can both perpetrate and conceal an error or fraud. The classic example is preventing the same user from creating a vendor and approving its payment. Where headcount makes full SoD impractical, the auditor expects compensating controls such as independent review, mandatory vacations, job rotation, and detailed activity logging. RBAC supports SoD because conflicting roles can be flagged and blocked at assignment.

Federation, directories, and password controls

Large environments centralize identity in a directory service (such as LDAP/Active Directory) and extend trust across organizations through federated identity using standards like SAML, OAuth 2.0, and OpenID Connect — a user authenticates with their home identity provider and accesses a partner's application without a separate password. The auditor confirms the federation trust is properly scoped and that token issuance and expiry are controlled.

Password and credential controls remain heavily tested:

Common access findings

The most common Domain 5 access findings cluster around the lifecycle: shared or generic accounts that defeat accountability, dormant accounts never disabled, excessive privileges beyond least privilege, terminated users still active, and access reviews that are skipped or signed off without genuine scrutiny. For each, the auditor's best recommendation is the control that restores unique attribution, enforces least privilege, and produces a reviewable trail.