5.5 – Manage the identity and access provisioning lifecycle

Written by

Surya

in

Perfect ✅ — here’s your CISSP Fastlane Sheet for:
“Managing the Identity and Access Provisioning Life Cycle.”

In This Article

The 4 Stages of the Identity and Access Provisioning Lifecycle

The identity and access provisioning lifecycle is a structured, four-stage framework that manages a user identity from creation to removal. Each stage is triggered by an HR or business event, enforced by IAM controls, and audited for compliance. Understanding this lifecycle is essential for the CISSP exam and for real-world access governance.

Stage 1: Identity Proofing and Account Creation

Triggered by a new hire or contractor onboarding event from the HR system (HRIS/HRMS). The IAM team verifies the individual’s identity, creates a unique user account, assigns the account to the appropriate role or group, and enforces MFA on first login. The CISSP exam tests that identity verification occurs before account creation — not simultaneously. Key risk: insufficient identity proofing allows impersonation.

Stage 2: Access Provisioning and Role Assignment

Once the account exists, access is provisioned based on the principle of least privilege using RBAC or ABAC models. Users receive only the permissions required for their job function — no more. Automated provisioning tools (e.g., Okta, SailPoint) sync role membership and eliminate manual error. The CISSP exam tests that “provisioning” means granting the minimum necessary access, not blanket permissions.

Stage 3: Access Maintenance, Role Changes, and Periodic Review

Throughout the user’s tenure, access rights must be updated as roles change (Mover in the JML model) and reviewed on a regular schedule (quarterly is the CISSP best practice). This stage detects and corrects privilege creep — the gradual accumulation of access rights beyond what a role requires. Failure to review = compliance violation and insider threat risk.

Stage 4: Deprovisioning and Offboarding

Triggered by termination, resignation, or end of contract (Leaver). The IAM team disables the account first (do not delete immediately — encrypted data may be lost), recovers data, reclaims hardware assets, and then deletes the account. HR-to-IT sync is critical: delayed deprovisioning creates orphaned accounts, the #1 insider threat vector. The CISSP exam sequence: Disable → Review → Delete.

StageTriggerKey ActionRisk if Skipped
1. Identity Proofing & Account CreationNew hire / onboarding HR eventVerify identity, create account, assign role, enforce MFAImpersonation, unauthorized account creation
2. Access Provisioning & Role AssignmentAccount creation completeGrant least-privilege access via RBAC/ABACExcessive permissions, compliance failure
3. Access Maintenance & ReviewRole change or scheduled auditUpdate role membership, detect privilege creepPrivilege creep, dormant over-privileged accounts
4. Deprovisioning & OffboardingTermination / resignation HR eventDisable → recover data → delete → reclaim assetsOrphaned accounts, insider threat, data loss

1. Front Matter

  • title: Managing the Identity and Access Provisioning Life Cycle
  • domain: D5 – Identity and Access Management (IAM)
  • objective_ref: Manage identity and access provisioning lifecycle (creation → maintenance → termination)
  • tags: [CISSP, IAM, Access Control, Lifecycle]
  • last_updated: 2025-10-12
  • difficulty: Intermediate
  • confidence: 0.95
  • source: user prompt
  • mode: quick
  • complexity_score: 3
  • bloom_level: Apply
  • question_type: scenario
  • cheatline_80_20: “Control identity from hire to retire—consistently, securely, auditable.”

2. Intro (30-sec → 2-min → 1-min)

  1. 30-sec skim: Account lifecycle = create → maintain → review → remove.
  2. 2-min recall: Onboarding ensures correct access; offboarding ensures removal; automation prevents human error.
  3. 1-min trap check: Verify who approves account creation, how access is reviewed, when revocation occurs.

3. Domain Objective & Why This Matters

CISSP Domain: D5 – Identity and Access Management
Why for Exam:

  • Core to authorization, authentication, and accountability.
  • Tested as scenario: HR triggers → IT automates → Security audits.

Why for Real World:

  • Minimizes orphaned accounts & insider risk.
  • Supports compliance (SOX, HIPAA, ISO 27001 A.9.2).

4. Definition & Deep Explanation

Definition:
The Identity & Access Provisioning Life Cycle manages user identities from onboarding to termination, ensuring consistent access control and auditability.

Expanded:

  • Creation (Enrollment): Verify ID → create unique user → assign roles/groups.
  • Provisioning: Grant least-privilege access & hardware assets.
  • Maintenance: Regular review of access rights & updates via HR events.
  • Deprovisioning: Revoke access, disable accounts, reclaim assets.

5. Acronym/Term Reference Table

TermMeaningExam Hook
IAMIdentity & Access ManagementCore of D5 domain
AUPAcceptable Use PolicyMust be signed at onboarding
HRISHR Info SystemTriggers automated provisioning
RBACRole-Based Access ControlSimplifies provisioning consistency
MFA / 2FAMulti-Factor AuthSecures onboarding authentication

6. Advantages, Limitations, and Use Cases

Advantages:

  1. Reduces admin error via automation.
  2. Ensures compliance and audit readiness.
  3. Enforces consistent access policies.

Limitations:

  1. Complex integration with legacy systems.
  2. Risk if HR-to-IT feed fails.
  3. Poor offboarding = orphaned accounts.

Use Cases:

  1. HR triggers automated account creation.
  2. Role-based access provisioning.
  3. Automatic disabling of inactive accounts.

7. Security Concerns, Risks & Threats

  • Orphaned accounts → privilege misuse (STRIDE: Elevation of Privilege).
  • Excessive permissions → privilege creep.
  • Weak enrollment validation → impersonation risk.
  • Unsecured hardware issuance → data leakage.
  • Delayed deprovisioning → insider threat.

8. Security Controls & Best Practices

People:

  • Mandatory ID verification before enrollment.
  • User training + AUP acknowledgment.

Process:

  • Joiner-Mover-Leaver (JML) policy.
  • Periodic access reviews (quarterly).
  • Dual approval for privilege changes.

Technology:

  • Automated provisioning tool (e.g., SailPoint, Okta).
  • MFA enforced on first login.
  • Audit logging via SIEM integration.

9. Key Standards/Protocols

  • ISO/IEC 27001 A.9: Access control policies.
  • NIST SP 800-53 (AC, IA): Access enforcement & identification.
  • SCIM / SAML / LDAP: For identity federation & automation.

10. Technical & Everyday Examples

Technical:

  1. HR adds employee → Okta auto-creates AD account.
  2. Employee transfers → RBAC updates group membership.
  3. Employee exits → AD disables account, MDM wipes phone.

Everyday Analogies:

  1. Hotel keycard activated at check-in, disabled at checkout.
  2. Gym membership—access only valid while membership is active.

11. Real-World Tie-In

  • Failure: Contractor account left active post-project → data leak.
  • Fix: Automated offboarding via HR-IT sync.
  • Success: Bank using SailPoint with JML reduced orphaned accounts by 90%.

12. Comparison Table

Lifecycle PhaseAdvantageLimitationBest Use
Manual ProvisioningFlexibilityInconsistentSmall orgs
Automated ProvisioningSpeed, ConsistencySetup costLarge orgs
Role-BasedLeast PrivilegeRigid rolesCompliance environments

13. Quick Visual/Diagram

[HR] → [IAM System] → [AD/LDAP] → [User Access]
  ↑         ↓                     ↓
 [Audit] ← [Review/Recertify] ← [Termination]

14. Exam Mindset & Traps

  • BEST: Aligns with policy & least privilege.
  • FIRST: Verify identity before creating account.
  • MOST: Automation improves consistency & auditability.

Triage Move: Identify where lifecycle is broken (creation / maintenance / deletion).

3 Pitfalls:

  1. Assuming HR validation = access control.
  2. Forgetting offboarding step.
  3. Confusing authentication with identification.

15. Prevent → Detect → Respond

Prevent:

  • Enforce JML workflow with approval chain.
  • Require MFA for all new accounts.

Detect:

  • Periodic access audits.
  • SIEM alerts for dormant accounts.

Respond:

  • Immediate disable on termination.
  • Post-incident access review.

16. Scenario-Based MCQ

Q: HR reports a terminated employee’s account is still active. What control failed?
A. Role-based provisioning
B. Automated onboarding
C. Offboarding synchronization
D. MFA enforcement

Answer: C. Offboarding synchronization
Rationale: HR event wasn’t synced → deprovisioning failed.

  • A: RBAC affects privileges, not removal.
  • B: Onboarding is creation.
  • D: MFA protects login, not lifecycle.

17. Trapfinder

  1. “Access review” ≠ “access removal.”
  2. “Provisioning tool” ≠ “policy enforcement.”
  3. “Authentication” ≠ “authorization.”

18. Governance, Roles & Responsibilities

  • Owner: HR (identity source)
  • Custodian: IT (account creation/management)
  • User: Employee (uses credentials responsibly)
  • Auditor: Security / Compliance (verifies reviews)
  • Manager: Approves access level changes

19. Summary Table

Key ConceptMust-KnowExam Angle
Joiner-Mover-LeaverCore lifecycle modelCommon scenario question
AutomationConsistency & audit trailReduces errors
Access ReviewsQuarterly best practiceDetects privilege creep

Likely Gaps if You Struggled:

  • Confusing IAM lifecycle with authentication process.
  • Forgetting offboarding automation importance.
  • Ignoring HR–IT workflow link.

20. Cross-Links (See Also)

  • Access Control Models (DAC/RBAC) – ties to provisioning logic.
  • Account Review & Recertification – ongoing control phase.
  • Separation of Duties – prevents privilege conflicts during role assignment.

21. Spaced Repetition Pack

Flashcards:
1️⃣ What are the 4 IAM lifecycle phases? → Create, Maintain, Review, Remove.
2️⃣ What triggers provisioning? → HR onboarding event.
3️⃣ What’s the main risk of failed offboarding? → Orphaned accounts.
4️⃣ What policy must users sign? → AUP.
5️⃣ Which control enforces least privilege? → RBAC.

Cloze Deletions:

  1. The IAM lifecycle begins with _______ and ends with _______.
  2. Automated provisioning ensures _______ and reduces _______.
  3. The HR-to-IT link prevents _______ accounts.

Review cadence: 1-3-7-21-45 days.

22. Mnemonic / Lightning Recap

Mnemonic: “CAMP – Create, Assign, Maintain, Purge.”
30-sec Recap Script:
IAM lifecycle = identity proofing → account creation → privilege assignment → periodic review → secure removal.
Automation enforces policy; HR is trigger; security audits keep it clean.

23. Assumptions & Unknowns

  • None; based fully on provided text.
  • Assuming standard enterprise HR-to-IT workflow model.

24. Blog Seed (Outline)

Hook: “Most data breaches start with an old account no one remembered.”
3 Big Ideas:

  1. Lifecycle = Security backbone of IAM.
  2. Automation = Accuracy + Auditability.
  3. HR sync = Human risk eliminator.
    Mini Example: Contractor never offboarded → breach → audit found missing HR trigger.
    Visual Placeholder: “Hire-to-Retire Flow Diagram.”
    CTA: “Audit your Joiner-Mover-Leaver process this week.”

Would you like me to create a side-by-side visual (diagram) for this (e.g., HR → IAM → Systems → Audit flow)? It’s great for memory anchoring and exam-day recall.

Excellent — you’ve now provided the Deprovisioning and Offboarding section of the CISSP IAM lifecycle. Below is the full CISSP Fastlane Sheet for this subsection — optimized for exam recall, manager fluency, and blog reuse.

1. Front Matter

  • title: Deprovisioning and Offboarding
  • domain: D5 – Identity and Access Management (IAM)
  • objective_ref: Manage deprovisioning and offboarding processes securely and consistently
  • tags: [CISSP, IAM, Offboarding, Deprovisioning, Account Lifecycle]
  • last_updated: 2025-10-12
  • difficulty: Intermediate
  • confidence: 0.97
  • source: user prompt
  • mode: quick
  • complexity_score: 3
  • bloom_level: Apply
  • question_type: scenario
  • cheatline_80_20: “Disable, audit, delete — remove access, recover data, reclaim assets.”

2. Intro (30-sec → 2-min → 1-min)

  1. 30-sec skim: Offboarding = disable accounts, reclaim assets, terminate access cleanly.
  2. 2-min recall: Disable > review > delete; ensure encryption/data recovery; HR-IT sync critical.
  3. 1-min trap check: Don’t delete before recovering encrypted data; disable first.

3. Domain Objective & Why This Matters

Domain: D5 – IAM
Why for Exam:

  • Tests risk of lingering accounts, encryption key loss, and HR–IT coordination.
    Why for Real World:
  • Prevents insider sabotage or compliance failures.
  • Protects IP, data, and benefits systems.

4. Definition & Deep Explanation

Definition:
Deprovisioning removes access rights and recovers assets when users leave or change roles.

Expanded:

  • Triggered by termination, resignation, or transfer.
  • Steps: Disable → Review → Delete.
  • Recover or decrypt user data before account deletion.
  • Reclaim hardware, disable remote/mobile access.
  • Remove benefits & financial entitlements.

5. Acronym/Term Reference Table

TermMeaningExam Hook
DeprovisioningRevoking system accessLast phase of IAM lifecycle
OffboardingHR + IT process post-exitCompletes employee separation
Account RevocationDeletion of accountMay cause encrypted data loss
Disabled AccountTemporarily locked userUsed for data recovery
HRMSHR Management SystemFinancial/benefit sync critical

6. Advantages, Limitations, and Use Cases

Advantages:

  1. Mitigates insider threat immediately.
  2. Preserves data integrity during review.
  3. Ensures compliance and audit closure.

Limitations:

  1. Premature deletion = data loss (esp. encrypted).
  2. Poor hardware tracking = asset leakage.
  3. Missed HRMS sync = ongoing benefit costs.

Use Cases:

  1. Disable accounts after exit interview.
  2. Decrypt data before deletion.
  3. Collect issued hardware and revoke benefits.

7. Security Concerns, Risks & Threats

  • Orphaned or active ex-employee accounts → sabotage risk.
  • Encrypted data tied to deleted credentials → data loss.
  • Shared passwords used post-exit → false attribution in logs.
  • HR system sync failures → financial waste.
  • Incomplete hardware retrieval → data exfiltration.

(Mapped: STRIDE – Elevation of Privilege, Repudiation, Information Disclosure)

8. Security Controls & Best Practices

People:

  • Exit checklist signed by HR, IT, and manager.
  • Dual verification for critical system access removal.

Process:

  • Disable before deletion.
  • Audit all accounts within 24 hrs of termination.
  • Maintain issued asset inventory.

Technology:

  • IAM tool triggers account disable automatically.
  • Encryption key escrow for data recovery.
  • Endpoint management (MDM) for remote wipe.

9. Key Standards/Protocols

  • ISO/IEC 27001 A.9.2.6: Removal/Adjustment of Access Rights.
  • NIST SP 800-53 AC-2(3): Account removal.
  • ISO 27002 A.11.2.8: Return of assets post-employment.

10. Technical & Everyday Examples

Technical:

  1. IAM tool disables Active Directory account immediately after HR termination event.
  2. Admin changes ex-employee password to recover encrypted files.
  3. MDM wipes company data from mobile device post-exit.

Everyday Analogies:

  1. Returning a rented car—access removed, car inspected, deposit reclaimed.
  2. Turning in a school ID at graduation—card deactivated, library balance cleared.

11. Real-World Tie-In

  • Failure: University of Wisconsin paid $8M in health premiums for 924 ex-employees — HRMS sync failure.
  • Success: Finance firm disabled ex-employee accounts within 30 min of exit → zero data leakage.

12. Comparison Table

MethodAdvantageLimitationBest Use
Immediate DeletionNo access post-exitData loss riskLow-sensitivity roles
Disable then DeleteSafe data recoverySlight delayHigh-data sensitivity
Automated DeprovisioningSpeed, auditabilityTool dependencyEnterprise scale

13. Quick Visual/Diagram

[HR Exit Notice]
      ↓
 [IAM Disable Account]
      ↓
 [Data Review / Decrypt]
      ↓
 [Delete Account + Assets]
      ↓
 [Audit & HRMS Sync]

14. Exam Mindset & Traps

  • BEST: Disable first, review, then delete.
  • FIRST: Remove access from critical systems.
  • MOST: Use automation for speed & consistency.

Triage Move: Identify if scenario needs “disable” (data recovery) or “delete” (security).

Pitfalls:

  1. Deleting before decrypting.
  2. Forgetting benefit offboarding.
  3. Missing hardware recovery.

15. Prevent → Detect → Respond

Prevent:

  • Require exit workflow approvals before HR finalizes.
  • Encrypt data with escrowed org keys, not user keys.

Detect:

  • Audit login attempts from disabled accounts.
  • Verify MDM & VPN disconnections.

Respond:

  • Lock accounts immediately if termination dispute.
  • Conduct post-offboarding audit for residual access.

16. Scenario-Based MCQ

Q: A terminated employee’s account was deleted, causing loss of encrypted project files. What failed?
A. Role-based provisioning
B. Data recovery procedure
C. Encryption policy
D. HR synchronization

Answer: B. Data recovery procedure

  • Rationale: Account deletion before decryption → lost access to keys.
  • A: Irrelevant (creation phase).
  • C: Policy didn’t fail; execution did.
  • D: HR sync not the cause here.

17. Trapfinder

  1. “Deletion” ≠ “Deactivation.”
  2. “Encryption” hides data from admins unless planned.
  3. “HR offboarding” must include IT, not just payroll.

18. Governance, Roles & Responsibilities

  • Owner: HR (termination source)
  • Custodian: IT (disable/delete accounts, reclaim assets)
  • User: Departing employee (return property, comply with AUP)
  • Auditor: Security/Compliance (validate closure of access)
  • Manager: Approves termination and validates recovered assets

19. Summary Table

ConceptMust-KnowExam Angle
Disable Before DeletePrevents data lossCommon exam trap
HR–IT CoordinationOffboarding triggerScenario-based
Hardware & Benefits ReturnFull lifecycle closureGovernance emphasis

Likely Gaps if You Struggled:

  • Confusing account disablement vs deletion.
  • Forgetting encryption key recovery.
  • Overlooking non-IT assets (laptops, benefits).

20. Cross-Links (See Also)

  • Onboarding & Provisioning – opposite lifecycle phase.
  • Access Review / Recertification – ongoing control before exit.
  • Key Management – prevents data loss on account deletion.

21. Spaced Repetition Pack

Flashcards:
1️⃣ What’s the safest offboarding sequence? → Disable → Review → Delete.
2️⃣ Why avoid immediate deletion? → Encrypted data may be lost.
3️⃣ What’s the top sabotage risk? → Retained access post-exit.
4️⃣ What system must sync with HR? → IAM & HRMS.
5️⃣ What non-IT step closes offboarding? → Reclaim hardware & terminate benefits.

Cloze Deletions:

  1. Always _______ an account before deleting to preserve data.
  2. HR systems must sync with _______ to stop payments and benefits.
  3. _______ accounts hide identity but retain audit trail.

Review cadence: 1-3-7-21-45 days.

22. Mnemonic / Lightning Recap

Mnemonic: “DRD – Disable, Review, Delete.”
30-sec Recap Script:
Deprovisioning starts at termination notice → disable access → recover data → reclaim assets → delete → audit.
Prevents sabotage, preserves evidence, protects finances.

23. Assumptions & Unknowns

  • Based on provided text; assumes enterprise HRMS–IAM integration model.
  • Encryption recovery methods not vendor-specific.

24. Blog Seed (Outline)

Hook: “Your biggest insider threat may already be gone — but still logged in.”
3 Big Ideas:

  1. Offboarding lapses = silent insider risk.
  2. Disable before delete = protect encrypted data.
  3. Automate HR-IT sync = close access gaps.
    Mini Example: University case: $8M benefits error due to HRMS failure.
    Visual Placeholder: “DRD Flow (Disable–Review–Delete).”
    CTA: “Run a dormant account audit this quarter.”

Excellent — this section completes the middle phase of the IAM lifecycle (“Maintain and Review”) between Provisioning and Deprovisioning.

Below is your CISSP Fastlane Sheet for “Role Definition, Account Maintenance, and Access Review.”
Manager-first, exam-ready, and blog-reusable.

1. Front Matter

  • title: Role Definition, Account Maintenance, and Access Review
  • domain: D5 – Identity and Access Management (IAM)
  • objective_ref: Define, maintain, and review roles and privileges throughout the IAM lifecycle
  • tags: [CISSP, IAM, Role Management, Privilege Creep, Access Review]
  • last_updated: 2025-10-12
  • difficulty: Intermediate
  • confidence: 0.96
  • source: user prompt
  • mode: quick
  • complexity_score: 3
  • bloom_level: Apply
  • question_type: scenario
  • cheatline_80_20: “Define roles right, review often, stop privilege creep early.”

2. Intro (30-sec → 2-min → 1-min)

  1. 30-sec skim: Define roles → control privileges → audit regularly → prevent privilege creep.
  2. 2-min recall: Roles define access; maintenance updates rights; audits remove excess.
  3. 1-min trap check: Don’t confuse “privilege creep” with “excessive privilege.”

3. Domain Objective & Why This Matters

Domain: D5 – IAM
Why for Exam:

  • Often tested in scenarios involving least privilege, role changes, and account review cycles.
    Why for Real World:
  • Poorly managed privileges = insider risk + compliance failure.
  • Regular reviews support SOX, ISO 27001, NIST 800-53, PCI DSS.

4. Definition & Deep Explanation

Definition:
Role definition creates structured job-based access models; account maintenance updates access as roles change; access review ensures ongoing compliance.

Expanded:

  • Define new roles when business processes or tech stacks evolve.
  • Align privileges with RBAC or ABAC principles.
  • Use controlled workflows for role or privilege modification.
  • Regular access reviews detect and fix privilege creep or dormant accounts.

5. Acronym/Term Reference Table

TermMeaningExam Hook
RBACRole-Based Access ControlFoundation for least privilege
ABACAttribute-Based Access ControlContext-driven access (risk-based IAM)
Privilege CreepGradual privilege accumulationCommon exam scenario
Excessive PrivilegeOver-permissioned accessViolates least privilege
Account ReviewAudit of privileges & accessDetects non-compliance

6. Advantages, Limitations, and Use Cases

Advantages:

  1. Maintains least privilege alignment.
  2. Reduces insider threat exposure.
  3. Enables audit compliance and visibility.

Limitations:

  1. Manual reviews can be time-consuming.
  2. Poorly designed roles can overlap permissions.
  3. Automation without oversight may miss exceptions.

Use Cases:

  1. Creating a new e-commerce dev/admin role.
  2. Automating 30-day inactive account disabling.
  3. Reviewing admin group memberships quarterly.

7. Security Concerns, Risks & Threats

  • Privilege creep → unauthorized access expansion.
  • Excessive privilege → lateral movement risk.
  • Dormant accounts → compromise vector.
  • Service account misuse → persistence for attackers.
  • Weak review frequency → compliance violation.

(STRIDE mapping: Elevation of Privilege, Tampering, Information Disclosure)

8. Security Controls & Best Practices

People:

  • Role owners define privileges and validate changes.
  • Train managers to approve only justified privilege updates.

Process:

  • Role change = trigger for privilege review.
  • Quarterly access recertification.
  • Dual approval for admin privileges.

Technology:

  • Use RBAC/ABAC frameworks.
  • Automate reports of inactive accounts.
  • Privileged Access Management (PAM) tools for elevated accounts.

9. Key Standards/Protocols

  • NIST SP 800-53 AC-2 & AC-5: Account management & least privilege.
  • ISO 27001 A.9.2.5: Review of user access rights.
  • PCI DSS Req. 7.2: Restrict access based on need-to-know.

10. Technical & Everyday Examples

Technical:

  1. HR updates role → IAM tool updates group membership automatically.
  2. Quarterly PowerShell script disables inactive AD accounts.
  3. PAM audit reveals two service accounts with root privileges.

Everyday Analogies:

  1. Employee badge access restricted to their building after transfer.
  2. Netflix account—admins periodically review who still has access.

11. Real-World Tie-In

  • Failure: Ex-IT admin retained server rights after promotion → breach via old credentials.
  • Success: Hospital automated role reassignment during job transitions → reduced privilege creep by 80%.

12. Comparison Table

AspectAdvantageLimitationBest Use
Role-BasedStructured, scalableRigidStable orgs
Attribute-BasedContext-awareComplexDynamic orgs
Manual ReviewGranular controlHuman errorSmall teams

13. Quick Visual/Diagram

[Role Definition]
      ↓
[Account Creation]
      ↓
[Privilege Adjustment]
      ↓
[Periodic Review]
      ↓
[Privilege Revocation]

14. Exam Mindset & Traps

  • BEST: Enforce least privilege via defined roles.
  • FIRST: Review privileges after role changes.
  • MOST: Automation enhances consistency.

Triage Move: Look for “privilege creep” keywords; pick “review and recertify access.”

Pitfalls:

  1. Ignoring service accounts in reviews.
  2. Granting temporary privileges permanently.
  3. Failing to remove old department rights after transfer.

15. Prevent → Detect → Respond

Prevent:

  • Enforce approval workflows for access changes.
  • Assign privileges by roles, not individuals.

Detect:

  • Use scripts/PAM to find dormant or privileged accounts.
  • Quarterly audit of high-risk roles.

Respond:

  • Remove redundant access promptly.
  • Document and report privilege violations.

16. Scenario-Based MCQ

Q: Karen transfers from Accounting to Sales but retains Accounting privileges. What has occurred?
A. Excessive privilege
B. Privilege creep
C. Role escalation
D. Authorization bypass

Answer: B. Privilege creep

  • A: Refers to over-permissioning in a single role.
  • B: Privileges accumulated over time.
  • C: Escalation implies attack vector.
  • D: Not applicable here.

17. Trapfinder

  1. “Excessive privilege” ≠ “privilege creep” (static vs gradual).
  2. “Disable” ≠ “delete” in reviews.
  3. “Service accounts” often overlooked—flag for review.

18. Governance, Roles & Responsibilities

  • Owner: Business unit (defines required access).
  • Custodian: IT/IAM admin (implements changes).
  • User: Employee (uses least privilege).
  • Auditor: Verifies periodic reviews completed.
  • Manager: Approves access modification requests.

19. Summary Table

Key ConceptMust-KnowExam Angle
Role DefinitionAlign job functions to privilegesGovernance control
Account MaintenanceManage privilege changesLifecycle continuity
Access ReviewDetect privilege creepAudit compliance

Likely Gaps if You Struggled:

  • Confusing privilege creep vs escalation.
  • Forgetting service/system account review.
  • Missing link between HR changes & IAM updates.

20. Cross-Links (See Also)

  • Provisioning & Onboarding – role assignment during creation.
  • Deprovisioning & Offboarding – access removal on exit.
  • PAM (Privileged Access Management) – control of elevated privileges.

21. Spaced Repetition Pack

Flashcards:
1️⃣ What triggers access review? → Role change or periodic audit.
2️⃣ What’s privilege creep? → Gradual privilege accumulation.
3️⃣ What principle counters excessive privilege? → Least privilege.
4️⃣ Which accounts need review most? → Privileged & service accounts.
5️⃣ What control detects dormant accounts? → Automated scripts.

Cloze Deletions:

  1. _______ defines job-based access rights.
  2. Privilege creep occurs when users _______ privileges over time.
  3. Quarterly _______ ensure compliance and least privilege.

Review cadence: 1-3-7-21-45 days.

22. Mnemonic / Lightning Recap

Mnemonic: “RMR – Role, Maintain, Review.”
30-sec Recap Script:
Roles define access → maintenance updates privileges → reviews remove excess.
Guard against privilege creep using least privilege + periodic audits.

23. Assumptions & Unknowns

  • Assumes RBAC/ABAC structure in place.
  • No vendor-specific IAM tools assumed.

24. Blog Seed (Outline)

Hook: “Privilege creep is the silent killer of least privilege.”
3 Big Ideas:

  1. Define roles before granting access.
  2. Automate reviews, but verify exceptions.
  3. Remove old privileges during transitions.
    Mini Example: Karen’s transfer caused privilege creep; audit fixed it.
    Visual Placeholder: “RMR Flow Diagram.”
    CTA: “Schedule your next access review now.”

Would you like me to merge all three Fastlane Sheets (Provisioning + Maintenance + Deprovisioning) into one complete “IAM Lifecycle Master Summary (Hire → Transition → Terminate)” for Domain 5?
It’s great for flashcard export and one-glance exam revision.

Summary

Perfect — here’s your condensed CISSP Fastlane “Exam Power Pack” combining all three IAM Lifecycle stages (Provisioning → Maintenance → Deprovisioning).

Everything below is drawn directly from your previous Fastlane Sheets, merged, cleaned, and optimized for Domain 5: Identity and Access Management (IAM).
Use this as your final exam-week quick sheet for “Managing the Identity and Access Provisioning Life Cycle.”

1️⃣ DOMAIN OBJECTIVE & WHY THIS MATTERS

Domain: D5 – Identity and Access Management (IAM)

PhaseObjectiveWhy for ExamWhy for Real-World
Provisioning & OnboardingEstablish verified identities, create accounts, grant least-privilege accessCore of access control fundamentalsPrevent orphaned/rogue accounts, ensure traceability
Role Definition & MaintenanceAdjust privileges as roles evolve; review accounts regularlyTests least privilege, privilege creep, and review cyclesPrevent privilege buildup, maintain compliance
Deprovisioning & OffboardingDisable, audit, and delete accounts on exitCommon scenario topic on insider threat & access terminationProtect data, avoid sabotage, recover assets & benefits

2️⃣ EXAM MINDSET & TRAPS

🔹 Decision Rules

  • BEST: Aligns with least privilege and policy-driven automation.
  • FIRST: Verify identity or remove access before changing privileges.
  • MOST: Choose automation for consistency and auditability.

🔹 Triage Moves (first 30 seconds)

  • Identify which lifecycle phase (joiner/mover/leaver).
  • Look for keywords: “role change,” “terminated,” “orphaned account.”
  • Pick the answer that ensures secure, auditable, and reversible control.

🔹 Common Pitfalls

PitfallFix
Deleting before decryptingDisable first, recover data, then delete
Confusing privilege creep with escalationCreep = slow accumulation; escalation = attack
Forgetting HR–IT syncAlways trigger provisioning/deprovisioning from HR system
Assuming authentication = identity proofingIdentity verification happens before account creation
Ignoring service accounts in reviewsInclude all non-human accounts in audits

3️⃣ EXAM IMPORTANCE

  • Appears in 3+ domains indirectly (IAM, Security Operations, Governance).
  • High scenario frequency (5–7 questions): onboarding, transfers, or terminations.
  • Tests managerial reasoning, not command syntax — focus on process flow and accountability.
  • Top trick area: privilege creep & lifecycle timing (“disable vs delete”).

4️⃣ COMPARISON TABLE

Method/PhaseAdvantageLimitationBest Use Case
Manual ProvisioningFlexibleProne to errorSmall orgs
Automated ProvisioningFast, consistent, auditableTool complexityEnterprise IAM
Role-Based (RBAC)Enforces least privilegeInflexible rolesStable hierarchies
Attribute-Based (ABAC)Context-aware accessComplex to manageDynamic environments
Disable → Review → DeletePrevents data lossSlight delaySecure offboarding
Immediate DeleteFast lockoutRisk of data lossTemporary accounts

5️⃣ QUICK VISUAL / DIAGRAM

           [ HR Trigger ]
                 │
                 ▼
   ┌─────────────────────────────┐
   │ 1. Provisioning / Onboarding│
   │ - Verify ID, Create Account │
   │ - Assign Roles & MFA        │
   └─────────────┬──────────────┘
                 │
                 ▼
   ┌─────────────────────────────┐
   │ 2. Maintenance / Review     │
   │ - Adjust Privileges         │
   │ - Review Access Quarterly   │
   └─────────────┬──────────────┘
                 │
                 ▼
   ┌─────────────────────────────┐
   │ 3. Deprovisioning / Exit    │
   │ - Disable → Review → Delete │
   │ - Recover Data & Assets     │
   └─────────────────────────────┘
                 │
                 ▼
           [ Audit & Report ]

6️⃣ LIKELY GAPS IF YOU STRUGGLED

  1. Confused “disable vs delete” in offboarding scenarios.
  2. Missed privilege creep detection and mitigation process.
  3. Ignored HR → IAM automation flow as a trigger.
  4. Overlooked service & system accounts in reviews.
  5. Couldn’t map prevent–detect–respond to IAM phases.

7️⃣ CROSS-LINKS (SEE ALSO)

TopicWhy It Connects
Access Control Models (DAC/RBAC/ABAC)Underpin role assignment and least privilege
PAM (Privileged Access Management)Manages elevated rights and admin accounts
Key ManagementTied to encryption recovery during offboarding
Account RecertificationPart of periodic access review
Personnel Security (Domain 2)HR process triggers IAM lifecycle

8️⃣ TRAPFINDER

DistractorTell (Clue) That Exposes It
“Access review = removal”Review ≠ removal; only detects issues
“Provisioning tool = policy”Tools enforce policy; they don’t create it
“Authentication = identification”Identification comes before authentication
“Privilege escalation” for role changeEscalation = attack; role change = lifecycle
“Immediate deletion” after exitWrong if encryption/data recovery needed

9️⃣ SPACED REPETITION PACK

🔹 Flashcards

1️⃣ IAM Lifecycle = ? → Create, Maintain, Remove
2️⃣ Disable before delete — why? → Preserve data & audit trail
3️⃣ Privilege creep definition → Gradual privilege accumulation
4️⃣ HR’s IAM role → Trigger for provisioning & termination
5️⃣ Key control for least privilege → RBAC or ABAC models
6️⃣ Joiner–Mover–Leaver acronym → Full IAM lifecycle stages
7️⃣ What finds dormant accounts? → Automation scripts or audits
8️⃣ What’s offboarding’s main risk? → Active ex-employee accounts

🔹 Cloze Deletions

  1. Always _______ an account before deletion to preserve data.
  2. Privilege creep occurs when users _______ privileges over time.
  3. HR triggers _______ and _______ actions in the IAM system.
  4. Automated provisioning ensures _______ and reduces _______.
  5. IAM lifecycle begins with _______ and ends with _______.

🔹 Review Cadence

1–3–7–21–45 days.

🔟 MNEMONIC / 30-SEC LIGHTNING RECAP

🔠 Mnemonics (Phase-Wise):

  • Provisioning: CAMP → Create, Assign, Maintain, Purge.
  • Maintenance: RMR → Role, Maintain, Review.
  • Deprovisioning: DRD → Disable, Review, Delete.

⚡ 30-Second Recap Script:

“The IAM lifecycle runs from Hire to Retire.
Verify identity → assign least privilege → review access → disable and delete securely.
Automate with HR triggers and log every change for accountability.”

11️⃣ SUMMARY TABLE

PhaseKey ConceptMust-KnowExam Angle
Provisioning & OnboardingHR-IT Workflow, MFA, Role AssignmentConsistent, auditable creation“Joiner” scenarios
Maintenance & ReviewRole changes, Privilege creep, Access auditsDetects excessive privilege“Mover” scenarios
Deprovisioning & OffboardingDisable → Review → DeletePrevents sabotage, preserves data“Leaver” scenarios
Across AllLeast privilege, Automation, Audit logsEnsures full accountabilityCommon in governance items

Final Takeaway (One Line Memory Hook):

“Provision right, review tight, remove clean — IAM done right.”

Would you like me to now turn this Exam Power Pack into a single printable 1-page PDF “IAM Lifecycle Quick Revision Sheet” (optimized for final CISSP study week)?

Excellent — here’s the complete consolidated Acronym/Term Reference Table for the entire Identity and Access Provisioning Life Cycle (Provisioning → Maintenance → Deprovisioning).

This merges and refines all acronym tables from the earlier Fastlane Sheets — aligned with CISSP Domain 5: Identity and Access Management (IAM).

12️⃣ ACRONYM / TERM REFERENCE TABLE

Term / AcronymMeaning / DescriptionExam Hook / Key Insight
IAMIdentity and Access ManagementDomain 5 foundation — lifecycle from creation to removal
JMLJoiner–Mover–LeaverDescribes full employee IAM lifecycle (onboard → transition → offboard)
RBACRole-Based Access ControlSimplifies provisioning through predefined job roles; enforces least privilege
ABACAttribute-Based Access ControlGrants access based on context (time, device, location) — dynamic control
DACDiscretionary Access ControlOwner controls access — contrast with RBAC/ABAC; weak for enterprise IAM
MACMandatory Access ControlCentralized access decisions — used in high-security/government systems
AUPAcceptable Use PolicyMust be signed during onboarding — ensures user accountability
MFA / 2FAMulti-Factor AuthenticationRequired at first login or role change; enhances assurance level
HRMS / HRISHR Management / Information SystemSource of truth for provisioning and deprovisioning triggers
SCIMSystem for Cross-domain Identity ManagementOpen standard for automating identity exchange between HR & IAM
SAMLSecurity Assertion Markup LanguageEnables SSO and identity federation between systems
LDAPLightweight Directory Access ProtocolBackend for directory-based identity stores (e.g., AD)
PAMPrivileged Access ManagementMonitors and controls admin/superuser credentials
SIEMSecurity Information and Event ManagementDetects anomalies, dormant accounts, or failed deprovisioning
KMSKey Management SystemEnsures encrypted data can be recovered during offboarding
Account RevocationAccount deletionRemoves all access — risk of data loss if encryption keys tied to account
Disabled AccountTemporarily inactive accountUsed for review or recovery before permanent deletion
Privilege CreepGradual privilege accumulationCommon exam scenario — violates least privilege
Excessive PrivilegeOver-permissioned accessImmediate least-privilege violation; often found in audits
Least PrivilegeMinimum access needed for dutiesCore IAM principle; referenced across multiple domains
Separation of Duties (SoD)Split responsibilities to prevent fraudCommon governance control tied to role definition
Access Review / RecertificationPeriodic access auditDetects privilege creep, orphaned accounts, and policy violations
Orphaned AccountAccount without an active ownerHigh-risk finding in IAM audits and exam scenarios
Encryption Key EscrowBackup copy of encryption keysPrevents data loss after account deletion
Nonpersistent DesktopVirtual desktop lost on logoutImportant for onboarding awareness — training issue
Privilege EscalationUnauthorized increase in rightsAttack scenario — not same as privilege creep
DeprovisioningRevoking access and reclaiming assetsFinal IAM phase — “disable → review → delete”
OffboardingHR + IT coordination for terminationEnsures accounts, data, and benefits closed properly
Access GovernanceCentral policy enforcement over IAMEnsures consistent rules and auditability
Policy Enforcement Point (PEP)IAM control enforcing decisionsWhere access decisions are technically applied
Policy Decision Point (PDP)Evaluates and approves access requestsABAC-based IAM concept from XACML architecture
SSOSingle Sign-OnReduces authentication friction but depends on centralized IAM security
XACMLeXtensible Access Control Markup LanguageABAC policy definition standard (used in PDP/PEP model)

🔹 Exam Tips

  • RBAC → Least Privilege
  • JML → Lifecycle Awareness
  • Privilege Creep → Mover Phase
  • Disable vs Delete → Leaver Phase
  • SAML / SCIM / LDAP → Automation & Federation

Memory Hook:

“RAPID IAM” — Roles, Access, Privileges, Identity, Deprovisioning — the 5 IAM anchors for the CISSP exam.

Would you like me to now merge all 12 requested sections (1–12) into a single formatted “IAM Lifecycle Exam Compendium” PDF/print sheet — color-coded by phase (Provisioning, Maintenance, Deprovisioning)? It’s perfect for a 2-page quick-study handout.

Related reading: Explore our related CISSP study guide

The comprehensive IAM Part 5 article on this topic is at Identity and Access Provisioning Lifecycle Explained: IAM Series (Part 5). Authorization mechanisms that govern what provisioned users can access are in Authorization Mechanisms Explained: IAM Series (Part 4). Access control monitoring after provisioning is in 14 CISSP: Controlling and Monitoring Access. The CISSP Domain 5 complete guide is at CISSP Domain 5: Identity and Access Management Complete Guide.

For official resources, visit (ISC)² CISSP Certification.

Related reading: Explore more in-depth coverage across the CISSP Study Guide and other resources listed below.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts

In This Article

Index