Chapter 12 - Access Management Flashcards
Access control
The mechanism used in an information system for granting or denying approval to use specific resources.
Authentication
Checking the delivery persons credentials to be sure that they are authentic and not fabricated.
Authorization
Granting permission to take an action.
Accounting
A record that is preserved of who accessed the network, what resources they accessed, and when they disconnected from the network.
Object
An object is a specific resource, such as a file of a hardware device.
Subject
A subject is a user of a process functioning on behalf of the user that attempts to access an object.
Operation
The action that is taken by the subject over the object is called an operation.
Access control model
A predefined framework found in hardware and software that a custodian can use for controlling access.
Discretionary access control (DAC)
The least restrictive access control model in which the owner of the object has total control over it.
Mandatory access control (MAC)
The most restrictive access control model, typically found in military settings in which security is of supreme importance.
Role-based access control (RBAC)
A “real-world” access control model in which access is based on a users job function within the organization.
Rule-Based Access Control
An access control model that can dynamically assign roles to subjects based on a set of rules defined by a custodian.
Attribute-Based Access Control (ABAC)
An access control model that uses more flexible policies that can combine attributes.
Employee onboarding
The tasks associated when hiring a new employee.
Employee offboarding
The tasks associated when an employee is released from the enterprise.
Location-based policies
Policies that establish geographical boundaries where a mobile device can and cannot be used.
Time-of-day restriction
Limitation imposed as to when a user can log in to a system or access resources.
Recertification
The process of periodically revalidating a users account, access control, and membership role or inclusion in a specific group.
Permission auditing and review
A review that is intended to examine the permissions that a user has been given to determine if each is still necessary.
Usage auditing and review
An audit process that looks at the applications that the user is provided, how frequently they are used, and how they are being used.
Separation of duties
The practice of requiring that processes should be divided between two or more individuals.
Job rotation
The act of moving individuals from one job responsibility to another.
Clean desk policy
A policy designed to ensure that all confidential or sensitive materials are removed from a users workspace and secured when the items are not in use or an employee leaves her workspace.
File system security
Security functions provided by access control lists (ACLs) for protecting files managed by the operating system.
