Identity and Access Management Assessment for Government Agency's MSSP partnership

Identity and Access Management Issues for Government Agency's MSSP Partnership

Paper topic: A government agency has hired you, “the information security consultant,” to perform an initial assessment (as a part of the due diligence) on a new initiative they are required to take on. This initiative will involve a strategic partnership with a Managed Security Services Provider (MSSP). The government agency will be outsourcing their security operations center (SOC) to the MSSP. The outsourced SOC will be responsible to manage all security incidents pertaining to the government agency and will be the first point of contact for all such incidents. The SOC also will also perform Identity and Access provisioning for the agency’s employees and as such will need privileged access to the agency’s critical access and data. As a part of the due diligence, the senior management is interested to know the following as it pertains to asset and access management: Discuss the identity and access management issues that might arise due to the nature of the above engagement. Discuss the role that asset and data classification will play in determining what information will the MSSP be allowed to access and how that determination is made. Discuss how you will ensure that the MSSP complies with the best practices around identity and access provisioning lifecycle. How will a determination be made as to what authorization mechanisms will be used for the MSSP users that access the agency’s assets/data? (RBAC, Rule-based, MAC, DAC). What considerations need to be discussed to prevent or mitigate access control attacks?