Access Control Concepts Flashcards
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures. NIST SP 1800-15B
Audit
An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.
Crime Prevention through Environmental Design (CPTED)
Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization. Source: NIST SP 800-53 Rev 4
Defense in Depth
A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be. NIST SP 800-192
Discretionary Access Control (DAC)
To protect private information by putting it into a form that can only be read by people who have permission to do so.
Encrypt
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.
Firewalls
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. NIST SP 800-32
Insider Threat
An operating system manufactured by Apple Inc. Used for mobile devices.
iOS
The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth.
Layered Defense
An operating system that is open source, making its source code legally available to end users.
Linux
A system irregularity that is identified when studying log entries which could represent events of interest for further surveillance.
Log Anomaly
Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks. NIST SP 1800-25B.
Logging
An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization. NIST SP 800-53 Rev.5.
Logical Access Control Systems
Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.
Mandatory Access Control
An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.
Mantrap