Chapter 3: Access Control Concepts

Question 1

Audit

Answer 1

Independent review and examination of records and activities to assess the adequacy of system controls to ensure compliance with established policies and operational policies and operational procedures.

Question 2

CPTED

Answer 2

Crime Prevention through Environmental Design (CPTED) - An architectural approach to the design of buildings and spaces which emphasizes passive features to reduce the likelihood of criminal activity.

Question 3

Defense in Depth

Answer 3

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

Question 4

DAC

Answer 4

Discretionary Access Control (DAC) - A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.

Question 5

Encrypt

Answer 5

To protect private information by putting it into a form that can only be read by people who have permission to do so.

Question 6

Firewalls

Answer 6

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

Question 7

Insider Threat

Answer 7

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

Question 8

Layered Defense

Answer 8

The use of multiple controls arranged in series to provide several consecutive controls to protect an asset; also called defense in depth. 

Question 9

Log Anomaly

Answer 9

Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks.

Question 10

Logical Access Control System

Answer 10

An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. A logical access control system requires the validation of an individual’s identity through some mechanism, such as a PIN, card, biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization.

Question 11

Mandatory Access Control

Answer 11

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Question 12

Mantrap

Answer 12

An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.

Question 13

Object

Answer 13

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information. Access to an object (by a subject) implies access to the information it contains.

Question 14

Physical Access Control

Answer 14

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

Question 15

Principle if Least Privilege

Answer 15

The principle that users and programs should have only the minimum privileges necessary to complete their tasks.

Question 16

Privileged Account

Answer 16

An information system account with approved authorizations of a privileged user.

Question 17

RBAC

Answer 17

Role-Based Access Control
An access control system that sets up user permissions based on roles.

Question 18

Rule

Answer 18

An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.

Question 19

Segregation of Duties

Answer 19

The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats. Also commonly known as Separation of Duties.

Question 20

Subject

Answer 20

Generally an individual, process or device causing information to flow among objects or change to the system state.

Question 21

Technical Controls

Answer 21

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

Question 22

User Provisioning

Answer 22

The process of creating, maintaining and deactivating user identities on a system.

Question 23

Security Controls

Answer 23

Security controls are safeguards or countermeasures that an organization can employ to avoid, counteract or minimize security risks.

Question 24

System-specific Controls

Answer 24

System-specific controls are security controls that provide security capability for only one specific information system.

Question 25

Common controls

Answer 25

Common Controls are security controls that provide security capability for multiple information systems.

Question 26

Hybrid controls

Answer 26

Hybrid controls have characteristics of both system-specific and common controls.

Question 27

ABAC

Answer 27

ABAC is an access control model that controls access to objects using rules that are evaluated according to the attributes of the subject, relevant objects, and attributes of the environment and action.

Question 28

CPTED

Answer 28

Crime prevention through Environmental Design is a multidisciplinary approach to deterring criminal behavior through environmental design. It includes strategies such as improving lighting, landscaping, and building design to reduce opportunities for crime.

For example, improving lighting in dark areas such as sidewalks or parking lots can deter potential criminals who prefer to operate in the shadows.