Chapter 4: Identity and Access Management - Section A Flashcards
Introduction: Identification and authentication is important because it establishes what?
User Accountability
Introduction: What is the first line of defense for most systems
Identification and authentication
Introduction: Logical access can be implemented in a few ways (T or F)
False. It can be implemented in various ways
Introduction: Logical security is often determined based on?
The job function of the users
Introduction: The success of logical access controls is tied to the what?
Strength of the authentication method
Introduction: What is usually the form of authorization?
Signatures either physical or electronic
Introduction: The strength of the ________ is proportional to the quality of method used
Authentication
System Access Permission: System access permission is the prerogative to act on a computer resources (T or F)
True
System Access Permission: Usually refers to an administrative privilege (T or F)
False. Technical
System Access Permission: It is established, managed, and controlled at the physical and not logical level (T or F)
False. Both levels
System Access Permission: Logical system access controls built into what? Invoked by what? And Incorporated into what?
Operating system; Access control software, application programs
System Access Permission: Physical or logical system access to any computerized information should be on what basis?
Need to know/ least privilege
System Access Permission: What are the other considerations for granting access and must be used by IS auditors when determining the criteria for defining permissions.
Accountability and traceability
System Access Permission: What are the four layers of logical security?
- Networks
- Platforms
- Databases
- Applications
System Access Permission: The four layers of security for system access provides what to information resources?
Greater scope and granularity of control
System Access Permission: Determine what layer of security is being described here
pervasive general
systems control over users authenticating into systems, system software
Network and platform layers
System Access Permission: Determine what layer of security is being described here
generally provide a greater degree of
control over user activity within a particular business process by controlling
access to records, specific data fields and transactions
Database and application controls
System Access Permission: The information owner who’s responsible for the information should provide what? And handed over to who?
Written authorization for users; security administrators
System Access Permission: Which principles should the IS auditor take into account when determining access to systems
Need to know, least privilege, SoD
System Access Permission: Who implements logical access capabilities
Security Administrator
System Access Permission: Reviews of access authorization must be what? To ensure the validity
Evaluated regularly
System Access Permission: Personnel and departmental changes, malicious efforts, and
just plain carelessness result in authentication creep (T or F)
False. Authorization
System Access Permission: What is a good practice when it comes to avoiding authorization creep
Integrating review of access rights with human resource processes.
System Access Permission: Non Employees with access to corporate IS resources should also be held responsible for security compliance and be accountable for security breaches despite not being part of the organization (T or F)
True
Mandatory and Discretionary Access Controls: are logical access control filters used to validate access credentials that cannot be controlled or modified by normal users or data owners;
Mandatory Access Controls
Mandatory and Discretionary Access Controls: MAC acts by default (T or F)
True
Mandatory and Discretionary Access Controls: Controls that may be configured or modified by the users or data owners
Discretionary access controls
Mandatory and Discretionary Access Controls: MACs only allow management to change the category of a resource (T or F)
False. Administrators ang dapat magpalit
Mandatory and Discretionary Access Controls: MACs are extremely prohibitive in nature. Only those explicitly and implicitly stated in the access are allowed (T or F)
False. Only explicitly permitted are allowed
Mandatory and Discretionary Access Controls: DACs cannot override MACs even if owners allow it (T or F)
True. DACs can never overried MACs
Mandatory and Discretionary Access Controls: MACs are a good choice to enforce a middle level of critical security without possible exception, if
this is required by corporate security policies or other security rules. (T or F)
False. good choice to enforce ground level dapat
are the primary means used to manage and protect information assets
Logical Access controls
Logical Access: Logical access controls substantiate what?
The management designed policies and procedures
Logical Access Exposures: technical exposures exist due to?
Accidental or Intentional exploitation
Logical Access: What should the IS auditor analyze?
The effectiveness of logical access controls in achieving information security objectives
Logical Access Exposures: Intentional exploitation might lead to?
Computer crime
Logical Access Exposures: All computer crimes exploit technical exposures (T or F)
False. Not all computer crimes exploit technical exposures
Logical Access Exposures: are the unauthorized activities
interfering with normal processing
Technical exposures
Logical Access Exposures: Involves siphoning or leaking information out of the compute
Data Leakage
Logical Access Exposures: data leakage may become undetected because it leaves the originical copy (T or F)
True
Logical Access Exposures: Computer shutdown can be initiated online and via the internet (T or F)
True
Logical Access Exposures: Which individuals can initiate a shutdown process
People who know a high-level log on ID
Logical Access Exposures: What are the limitations of the High level log on ID security measures for computer shutdown
It is only effective if proper security access controls are in place
Familiarization With the Enterprise’s IT Environment: For IS auditors to effectively assess logical access controls within their organization, they first need to
gain a technical and organizational understanding of the organization’s IT environment.
Familiarization With the Enterprise’s IT Environment: Includes reviewing the?
Network, OS platform, database, and application security layers
Paths of Logical Access: Points of entry to an organization can be through multiple avenues (T or F)
True
Paths of Logical Access: When does a direct path of access (mainframe) happen?
- IS environment is under the direct control of the main systems
- Uses are locally known
- Well defined access profiles
Paths of Logical Access: Direct access related to a LAN is simpler (T or F)
False
Paths of Logical Access: The resources in a LAN have similar access paths (T or F)
False. Different paths
Paths of Logical Access: What is the most common configuration?
A combination of direct, local, and remote.
Paths of Logical Access: How do you increase the complexity?
Intermediate devices
Paths of Logical Access: Examples of access path through common nodes are?
Back end and front end interconnected network
Paths of Logical Access: Which is used for untrusted networks front or back end?
Front end
Paths of logical access: Can front end networks be internally based?
Yes
General points of entry: General points of entry control the access from
The organizations infrastructure to its information resources
General points of entry: Connectivity in this environment needs to be controlled through a smaller set of __ ___ ___ (servers), which enable a user to obtain access to specific __ ___ __(e.g.,
application servers and databases)
primary domain
controllers
secondary points of entry
General points of entry: The approach is based on
Client - Server model
General points of entry: network management devices examples
Firewalls and routers
General points of entry: Linking PC to an organization’s network infrastructure
Network Connectivity
General points of entry: At a minimum, access to a segment of an organization’s network infrastructure needs?
Identification and authentication to a domain controlling server
General points of entry: In remote access, complete access to view all network resources usually requires
Virtual Private Network
General points of entry: Remote access points of entry can be extensive and should be ?
Centrally controlled
General points of entry: Organization should know all the points of entry into the
information resource infrastructure (T or F)
True
General points of entry: IS auditors should do what?
- IF all points of entry are identified
- Support management to identify all access paths
