Access Control Concepts Flashcards

1
Q

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B

A

Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.

A

Crime Prevention through Environmental Design (CPTED)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4

A

Defense in Depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192

A

Discretionary Access Control (DAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To protect private information by putting it into a form that can only be read by people who have permission to do so.

A

Encrypt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

A

Firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32

A

Insider Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An operating system manufactured by Apple Inc. Used for mobile devices.

A

iOS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth. 

A

Layered Defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An operating system that is open source, making its source code legally available to end users.

A

Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.

A

Log Anomaly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.

A

Logging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.

A

Logical Access Control Systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

A

Mandatory Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.

A

Mantrap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains. See subject. Source: NIST SP 800-53 Rev 4

A

Object

17
Q

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

A

Physical Access Controls

18
Q

The principle that users and programs should have only the minimum privileges necessary to complete their tasks. NIST SP 800-179

A

Principle of Least Privilege

19
Q

An information system account with approved authorizations of a privileged user. NIST SP 800-53 Rev. 4

A

Privileged Account

20
Q

A type of malicious software that locks the computer screen or files, thus preventing or limiting a user from accessing their system and data until money is paid.

A

Ransomware

21
Q

An access control system that sets up user permissions based on roles.

A

Role-based access control (RBAC)

22
Q

An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.

A

Rule

23
Q

The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.

A

Segregation of Duties

24
Q

Generally an individual, process or device causing information to flow among objects or change to the system state. Source: NIST SP800-53 R4

A

Subject

25
Q

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

A

Technical Controls

26
Q

A one-way spinning door or barrier that allows only one person at a time to enter a building or pass through an area.

A

Turnstile

27
Q

An operating system used in software development.

A

Unix

28
Q

The process of creating, maintaining and deactivating user identities on a system.

A

User Provisioning