Identity Governance Flashcards
Checking access...
Test your understanding of the Identity Governance module. Click a card to flip it between question and answer. Use the arrows, keyboard (← →), or swipe on mobile to move through the deck.
What is Identity Governance?
Click to reveal answer
The discipline of ensuring that the right people have the right access to the right resources — and that this access is properly controlled, reviewed, and auditable. It provides the accountability layer of IAM.
Click to see question
What are the four phases of the identity lifecycle?
Click to reveal answer
Joiner (account creation, role assignment), Mover (role changes, transfers, promotions), Leaver (account deactivation, data handover), and Rehire (account restoration, entitlement review).
Click to see question
What is access certification?
Click to reveal answer
Periodic reviews where managers and resource owners validate whether users still need their current access. Certification campaigns are the primary mechanism for detecting and remediating privilege creep.
Click to see question
What is Segregation of Duties (SoD)?
Click to reveal answer
Policies that prevent any single individual from holding conflicting permissions that could enable fraud or abuse. SoD analysis detects toxic permission combinations across all of a user's roles and entitlements.
Click to see question
What is role mining?
Click to reveal answer
The process of discovering natural role groupings from existing access data. Role mining analyses current user entitlements to identify patterns that can be used to design a role-based access control model.
Click to see question
What are the consequences of inadequate identity governance?
Click to reveal answer
SOX violations, GDPR fines, insider fraud, data breaches, and the inability to answer the most basic audit question: "Who has access to what, and is that access appropriate?"
Click to see question
What is identity analytics?
Click to reveal answer
Advanced analytics that detect anomalies in identity behaviour — dormant accounts, unusual access patterns, privilege escalation, and potential insider threats. Analytics transform IGA from reactive compliance into proactive security.
Click to see question
What is the relationship between IGA and GRC?
Click to reveal answer
IGA is the governance pillar of GRC (Governance, Risk, and Compliance). It provides the data and controls that feed risk management (which access combinations create risk) and compliance (proving access is appropriately controlled).
Click to see question
What are the key capabilities of an IGA platform?
Click to reveal answer
Identity lifecycle management, access certification campaigns, segregation of duties analysis, role management and mining, identity analytics, self-service access requests, compliance reporting, and policy enforcement.
Click to see question
What compliance frameworks require identity governance controls?
Click to reveal answer
SOX (Section 404 — internal controls), GDPR (Article 5 — accountability), HIPAA (access control for ePHI), PCI DSS v4.0 (Requirement 7/9 — need-to-know and access review), ISO 27001 (A.9.2 — user access provisioning and review), and NIST SP 800-53 (AC-2 — account management).
Click to see question
What is self-service IAM in the context of governance?
Click to reveal answer
Access requests, approval workflows, password management, and user experience features that allow users to request and manage their own access while maintaining governance controls through automated approval chains.
Click to see question
What is privilege creep and how is it detected?
Click to reveal answer
Privilege creep is the gradual accumulation of excessive permissions over time as users change roles. It is detected through regular access certification campaigns and identity analytics that flag users with permissions exceeding their current role requirements.
Click to see question
Tip
Review any cards you got wrong by navigating to the corresponding module page for a deeper explanation.