Chapter 1 - Access Control Flashcards Preview

My Notes of CISSP CBK > Chapter 1 - Access Control > Flashcards

Flashcards in Chapter 1 - Access Control Deck (141)
Loading flashcards...
1

Access Controls encompass all operational levels of an organization.

Facilities; Support Systems; Information Systems; and Personnel

2

C-I-A

Confidentiality, Integrity and Availability

3

Two Philosophies for Access Control

Allow by Default and Deny by Default

4

Defense in Depth Strategy

Applying multiple layers of security protection between an information resource and a potential attacker.

5

Three step process for determining access controls

1. Defining Resources 2. Determining Users 3. Specifying the Users use of the resources

6

Consistent Access Control Strategy

Simplicity is the key to an effective security system.

7

Separation of Duties

Primary Objective is the prevention of fraud and errors. Distributing tasks and associated privileges for a specific process among multiple people

8

Processes

Collection of tasks that must be performed to achieve an objective.

9

Applicabililtiy of Separation of Duties

Sensitivity of the function under consideration; and the elements within a function are prone to abuse, which are easily segmented, and what skills are available.

10

Least privilege

User is given no more access priviliege than necessary to perform a job, task, or function

11

Need to know

Defines the minimum needed to know to perform job function

12

Compartmentalization

Seperating groups of people and information such that each group is isolated and information does not flow between groups.

13

Security domain

Area where common process and security control work to separate all entities involved in these processes from other entities or security domains.

14

Information Classification

Objective is to group an organization's information assets by levels of sensitivity and criticality.

15

Information Classification Program

1. Determine objectives 2. Establish organizational support 3. Develop policy and supporting procedures 4. Develop process flows and procedures 5. Develop tools to support 6. Identify process and application owners 7. Identify information owners and delgates 8. Distribute standard templates 9. Classify information and applications 10. Develop auditing procedures 11. Load classification information into a central repository 12. Train users. 13. Periodically review and update information classifications.

16

Access Control System Requirements

Reliability, Transparency, Scalability, Integrity, Maintainability, Authentication Data Security, and Auditability

17

Main Categories of Access Control

1. Directive - apply rules 2. Deterrent - discourage violations 3. Preventitive - prevent incident 4. Compensating - mitigate risk 5. Detective - signal warning when breached 6. Corrective - remedy circumstance 7. Recovery - restore conditions

18

Access Control Types

1. Administrative Controls - define roles, responsibilities, policies, and administrative functions. 2. Logical (Technical) controls - electronic hardware and software solutions implemented to control access to information and information networks. 3. Physical Controls - protect physical environment - locks, gates, guards

19

Major Groups of Administrative Controls

1. Policies and Procedures 2. Personnel Security, evaluation and clearances 3. Security policies 4. Monitoring 5. User management 6. Privilege management

20

BCP/DRP

Business continuity plan/disaster recovery plan

21

RADIUS

Remote Authentication Dial In User Service

22

Major Groups of Logical Controls

1. Network Access 2. Remote Access 3. System Access 4. Application Access 5. Malware Control 6. Encryption

23

Discretionary Access Controls (DACS)

Controls placed on data by the owner of the data

24

Mandatory Access Controls (MACS)

Controls determined by the system and based primarily on organizational policy. Data needs to be labeled as to its classification. Access permissions are applied to an object based on the level of clearance given to a subject.

25

Nondiscretionary Access Control

Based on assignment of permissions as defined by the administrator of a system

26

Access Control Matrix

An access control list in the form of a table - showing what permissions a user has for various system objects.

27

Rule-based Access Control

Specifies the privileges granted to user s(e.g read, write) when the specific condition of a rule is met - e.g. the time a certain file can be accessed.

28

Role-based Access Control

Based on job function - objects associated with a role will inherit privileges assigned to that role

29

RBAC

Non-RBAC - user granted access Limited RBAC - users mapped to roles within a single application Hybrid RBAC-role applied to multiple applications or systems, but instances wheresubjects assigned to roles defined within an application FUll RBAS - roles defined by organizational policy

30

Content Dependent Access Control

Based on content of data not roles