mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
efca3ec611
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions) based on subdomain and content analysis. Restores 11 skills corrupted during prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields. All 754 skills now carry structured mappings for all 5 security frameworks: - MITRE ATT&CK (in tags) - MITRE ATLAS v5.5 (atlas_techniques) - MITRE D3FEND v1.3 (d3fend_techniques) - NIST AI RMF 1.0 (nist_ai_rmf) - NIST CSF 2.0 (nist_csf)
141 lines
6.0 KiB
Markdown
141 lines
6.0 KiB
Markdown
---
|
|
name: performing-access-review-and-certification
|
|
description: Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with
|
|
their roles. This skill covers review campaign design, reviewer selection, risk-based p
|
|
domain: cybersecurity
|
|
subdomain: identity-access-management
|
|
tags:
|
|
- iam
|
|
- identity
|
|
- access-control
|
|
- access-review
|
|
- certification
|
|
- compliance
|
|
- governance
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AA-01
|
|
- PR.AA-02
|
|
- PR.AA-05
|
|
- PR.AA-06
|
|
---
|
|
# Performing Access Review and Certification
|
|
|
|
## Overview
|
|
Conduct systematic access reviews and certifications to ensure users have appropriate access rights aligned with their roles. This skill covers review campaign design, reviewer selection, risk-based prioritization, micro-certification strategies, and remediation tracking for compliance with SOX, HIPAA, and PCI DSS requirements.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When conducting security assessments that involve performing access review and certification
|
|
- When following incident response procedures for related security events
|
|
- When performing scheduled security testing or auditing activities
|
|
- When validating security controls through hands-on testing
|
|
|
|
## Prerequisites
|
|
|
|
- Familiarity with identity access management concepts and tools
|
|
- Access to a test or lab environment for safe execution
|
|
- Python 3.8+ with required dependencies installed
|
|
- Appropriate authorization for any testing activities
|
|
|
|
## Objectives
|
|
- Design and execute access review campaigns across enterprise applications
|
|
- Implement risk-based prioritization for review scope
|
|
- Configure reviewer selection (manager, application owner, hybrid)
|
|
- Automate entitlement data collection and presentation
|
|
- Track remediation of inappropriate access findings
|
|
- Generate compliance evidence for auditors
|
|
|
|
## Key Concepts
|
|
|
|
### Access Review Types
|
|
1. **User Access Review**: Manager certifies all entitlements for their direct reports
|
|
2. **Entitlement Review**: Application owner certifies all users with specific entitlement
|
|
3. **Role Review**: Role owner certifies role membership and permissions
|
|
4. **Privileged Access Review**: Security team reviews high-risk/privileged access
|
|
5. **SOD Review**: Verify no users have conflicting separation-of-duty violations
|
|
|
|
### Risk-Based Prioritization
|
|
- **High Risk**: Privileged access, financial systems, PII/PHI systems, external-facing apps
|
|
- **Medium Risk**: Internal business applications, shared drives, collaboration tools
|
|
- **Low Risk**: Standard employee tools, read-only access, public information systems
|
|
|
|
### Review Campaign Lifecycle
|
|
1. **Planning**: Define scope, reviewers, timeline, escalation
|
|
2. **Data Collection**: Aggregate entitlements from all identity sources
|
|
3. **Distribution**: Assign review items to appropriate certifiers
|
|
4. **Certification**: Reviewers approve or revoke each entitlement
|
|
5. **Remediation**: Revoke inappropriate access, enforce timeline
|
|
6. **Reporting**: Generate compliance evidence and metrics
|
|
7. **Closure**: Archive campaign, feed findings into next cycle
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Define Review Scope and Schedule
|
|
- Identify in-scope applications and systems
|
|
- Determine review frequency: quarterly (SOX), semi-annual, annual
|
|
- Define campaign timeline: review period, escalation dates, hard close
|
|
- Establish escalation chain for non-responsive reviewers
|
|
|
|
### Step 2: Data Collection and Aggregation
|
|
- Extract user-entitlement mappings from each application
|
|
- Correlate with HR data (active employees, role, department, manager)
|
|
- Identify terminated/transferred users still holding access
|
|
- Flag high-risk entitlements (admin, DBA, system, privileged)
|
|
- Calculate risk scores based on entitlement sensitivity and user role
|
|
|
|
### Step 3: Reviewer Assignment
|
|
- **Manager Reviews**: Direct manager certifies subordinate access
|
|
- **Application Owner Reviews**: App owner certifies all users of their application
|
|
- **Hybrid Model**: Manager reviews standard access, app owner reviews privileged
|
|
- **Delegate Management**: Allow reviewers to delegate with audit trail
|
|
|
|
### Step 4: Execute Certification Campaign
|
|
- Send notifications to reviewers with clear instructions
|
|
- Present entitlements with context (last used date, risk level, role justification)
|
|
- Require reviewers to explicitly approve or revoke each item
|
|
- Track completion percentage and send reminders
|
|
- Escalate to management after deadline
|
|
|
|
### Step 5: Remediation and Tracking
|
|
- Automatically ticket revocations to IT operations
|
|
- Set SLA for revocation execution (24-48 hours for high-risk)
|
|
- Verify revocation completed (re-check entitlement)
|
|
- Exception management for business-justified deviations
|
|
- Document all exceptions with expiration dates
|
|
|
|
### Step 6: Reporting and Evidence
|
|
- Generate campaign completion metrics
|
|
- Produce per-application compliance reports
|
|
- Create audit-ready evidence packages
|
|
- Track trends across review cycles
|
|
- Feed findings into risk assessment process
|
|
|
|
## Security Controls
|
|
| Control | NIST 800-53 | Description |
|
|
|---------|-------------|-------------|
|
|
| Access Review | AC-2(3) | Periodic review of account privileges |
|
|
| Account Management | AC-2 | Account lifecycle management |
|
|
| Least Privilege | AC-6 | Minimum necessary access enforcement |
|
|
| Separation of Duties | AC-5 | SOD conflict identification |
|
|
| Audit Logging | AU-6 | Review of access audit records |
|
|
|
|
## Common Pitfalls
|
|
- Rubber-stamping: reviewers approving all access without examination
|
|
- Incomplete scope: missing critical applications from review campaigns
|
|
- No remediation tracking: revoking access on paper but not in systems
|
|
- Inconsistent reviewer assignment causing gaps in coverage
|
|
- Not including service accounts and non-human identities
|
|
|
|
## Verification
|
|
- [ ] All in-scope applications included in campaign
|
|
- [ ] Reviewers assigned for 100% of entitlements
|
|
- [ ] Campaign completion rate exceeds 95%
|
|
- [ ] Revocations executed within SLA
|
|
- [ ] Audit evidence package complete and archived
|
|
- [ ] SOD violations identified and documented
|
|
- [ ] Exceptions documented with business justification and expiry
|