Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Information Security Management > Chapter 4: Identity and Access Management - Section B > Flashcards

Chapter 4: Identity and Access Management - Section B Flashcards

1
Q

Access Control Software Introduction: What is the purpose of access control softwares?

A

Its purpose is to prevent unauthorized access and medication to organization data and the use of system critical functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Software Introduction: To achieve the goal, it is necessary to apply access controls across critical layers of the IS architecture (T or F)

A

False. All layers must have access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control Software Introduction: What layers has the greatest degree of protection

A

The Network and Platform/OS layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Access Control Software Introduction: What do you call the Network and Platform layers and why?

A

General Support Systems. They make up the infrastructure which the database and application layers reside

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Control Software Introduction: OS ACS is typically restricted to ____ ____ and interfaces with ___ ____ ____ ___ and resides in ___ ____ ____ that manage and control external access to organization’s networks

A

Privileged Users; network access control software; network layer devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Access Control Software Introduction: OS Access control software interfaces with database and or application access controls to protect system libraries and user data sets

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the access control functions of general operating and/or application systems?

A
  1. Create or change user profiles.
  2. Assign user identification and authentication.
  3. Apply user logon limitation rules.
  4. Ensure users’ access is commensurate with their job responsibilities.
  5. Ensure notification concerning proper use and access prior to initial login.
  6. Create individual accountability and auditability by logging user activities.
  7. Establish rules for access to specific information resources (e.g., system-level
    application resources and data).
  8. Log events.
  9. Report capabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the access control functions of database and or application-level systems?

A
  1. Create or change data files and database profiles
  2. Verify user authorization at the application and transaction level
  3. Verify user authorization within the application
  4. Verify user authorization at the field level for changes within a database
  5. Verify subsystem authorization for the user at the file level
  6. Log database/data communications access activities for monitoring access
    violations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

General operation and application system access control: How do they create individua accountability and auditability?

A

By logging user activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

General operation and application system access control: Ensure notification concerning proper use and access after the initial login (T or F)

A

False. Prior to initial login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Database and/or application-level access control functions: Verifies user authorization at what levels?

A

Application and transaction level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Database and/or application-level access control functions : Verifies authorization changes within the database ata what level?

A

Field level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Database and/or application-level access control functions : Verifies subsystem authorization for the user at the ___ level

A

file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access Control Software Summary: What are the upper and lower layers?

A

Upper: Database and Application Layers
Lower: Network and Platform/OS Layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Access Control Software Summary: The lower layers are dependent on the Upper layers (T or F)

A

False. The opposite is true, the upper layers depend on the lower layers to protect the general system resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access Control Software Summary: Upper layers provide _____ at the application level in segregating duties by function

A

granularity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a critical building block of compute security because it is needed in all access control?

A

Identification and Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Identification and Authentication: How does it establish user accountability?

A

Links activities on a computer system to specific individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Identification and Authentication: Common Vulnerabilities include

A
  1. Weak authentication
  2. Simple passwords
  3. Potential to bypass authentication
  4. Lack of Confidentiality and integrity for the store authentication Information
  5. Lack of encryption on authentication and protection of information transferred over a network
  6. User’s lack of knowledge on the risk in sharing authentication elements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Identification and Authentication: I&A differ in respect to:

A
  1. Meaning
  2. Method, Peripherals, and Techniques
  3. Attributes
  4. Requirement in terms of secrecy and management (
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Identification and Authentication: I&A differ in attributes how?

A

Authentication does not have innately any attributes related to it while Identity has

22
Q

Identification and Authentication: I&A differs in change how?

A

Identities don’t normally change, on the other hand, authentication keys are regularly changed to ensure reliability

23
Q

Key Concepts of Identity Access Management: Name All the Key Concepts:

A
  1. Identify creation and access request
  2. Transfer Request
  3. Access Termination Request
  4. Password Communication
  5. Password Management
  6. Policy Administration
  7. Validation
  8. Reinstatement
  9. Authorization Subprocess
  10. SoD
  11. Log Management
  12. Privileged Access
  13. Dormant/ Orphan User Accounts
24
Q

Key Concepts of IAM: What are the identified gaps in Identify creation and access request?

A
  1. Authorized approval not in place
  2. Privileged Access without analyzing the need
  3. Group Share Access
25
Q

Key Concepts of IAM: What are the identified gaps in transfer request?

A

Authorized approval not in place

26
Q

Key Concepts of IAM: What are the identified gaps in Access Termination Request?

A

User ID not revoked immediately after termination

27
Q

Key Concepts of IAM: What are the identified gaps in Password Communication

A

Unsecured means to communicate password

28
Q

Key Concepts of IAM: What are the identified gaps in Password Management

A
  1. Password parameters not followed
  2. Password Complexity not met
  3. Nonexistent password policies and standards
  4. Use of Shared Passwords
29
Q

Key Concepts of IAM: What are the identified gaps in Policy Administration?

A
  1. Lack of documented processes, policies and procedures
  2. Lack of timely process review
30
Q

Key Concepts of IAM: What are the identified gaps in Validation?

A

1.Validation process not in place or adhered to
2. Timely action not taken for accounts that are e not validated in the process

31
Q

Key Concepts of IAM: What are the identified gaps in Reinstatement

A
  1. Reinstatement without valid authorization
32
Q

Key Concepts of IAM: What are the identified gaps in Authorization subprocess

A
  1. Access given without authorization
33
Q

Key Concepts of IAM: What are the identified gaps in SoD

A
  1. Lack of SoD
34
Q

Key Concepts of IAM: What are the identified gaps in Log Management

A
  1. Lack of Logging, auditing and reviewing of events
35
Q

Key Concepts of IAM: What are the identified gaps in Privileged Access

A
  1. Access provided to users without validating the needs of access
  2. Periodic revalidation process not in place
  3. No validated accounts are not terminated
36
Q

Key Concepts of IAM: What are the identified gaps in Dormant use accounts

A
  1. Owners and custodians not identified for user accounts
37
Q

In Key Concepts of IAM - Identify creation and access request: Who should authorize the access?

A

The user’s manager, resource owner or the security officer

38
Q

In Key Concepts of IAM - Identify creation and access request: privileged access can be granted only after what?

A

two levels of approval

39
Q

In Key Concepts of IAM - Identify creation and access request: privileged access can be granted after two levels of approval from?

A
  1. Reporting Manager
  2. Reporting Manger’s Manager/ Application or Database or Server Owner
40
Q

In Key Concepts of IAM - Identify creation and access request: Group shared access must utilize what principle?

A

Least privilege

41
Q

In Key Concepts of IAM - Identify creation and access request: Group shared access must

  1. ____________ on which the account can exist
  2. Ensure and _______ the list of users who would be sharing the account
  3. _________ should maintain and publish ____________ who have access to the account
  4. Validate the ____________ for shared accounts
  5. Passwords should be changed on a regular basis. The frequency should be defined in the ____________
  6. If it is found that someone obtains unauthorized access, the password must be __________
A
  1. Limit the servers
  2. Preapprove
  3. Account Owners; the list of users
  4. logging activities
  5. process document
  6. changed immediately
42
Q

In Key Concepts of IAM - Access termination request: The recommendation for the gap is to terminate access in minimum and maximum days of?

A

Minimum: 1
Maximum: 5

43
Q

In Key Concepts of IAM - Password Communication: To solve insecure means to communicate,

  1. Passwords can be communicated via ______ in _______
  2. Passwords must be stored in ______
A
  1. User email; encrypted format
  2. seal envelope
44
Q

In Key Concepts of IAM - Password Management: To solve the gaps one shall

  1. The password should be a ____ of ___ characters in length
  2. Password should contain a mix of ____ and ____ letters, _____ and ______
  3. ## Passwords should not be:-
    -
    -
  4. An encrypted ____ ___ should be maintained and should at minimum retain the last ___ passwords for each user ID
  5. Password changes should be enforced – ___ days for privileged access and __ days for regular access
  6. At minimum ___ consecutive unsuccessful attempts should lead to ____ suspension of the account until it is reset by the ____ _____
  7. A time out feature or screensaver should be enabled after __ minutes of inactivity
  8. Passwords must always be _____ when held in storage for any significant period of time or when transmitted over networks
  9. Each ___ __ should be uniquely identifiable preferable to the _____
  10. The last ___ __ __ __should be displayed for the user at the ___ ___ __
  11. At first login, a ___ ___ ___ should be enforced
  12. The password must be changed promptly when ___ is suspected
A
  1. Mimium; 8
  2. Lowercase; Uppercase; Numbers; Punctuations
  3. Words found in the dictionary; Personal Information; Related to the User ID, Common character sequences
  4. History File; 13
  5. 30;90
  6. 5; system administrator
  7. 15 minutes
  8. encrypted
  9. User ID; Username
  10. login date and time; time of login
  11. mandatory password change
  12. disclosure
45
Q

In Key Concepts of IAM - Policy Administration: Document review should be done every when?

A

Preferably yearly

46
Q

In Key Concepts of IAM - Validation: each user account should be reevaluated at a ___ ___ - preferably ___ months for normal users and ___ months for privileged user accounts

A

fixed-frequency; 6; 3

47
Q

In Key Concepts of IAM - Reinstatement: Lack of approvals/incorrect authorization requests should not be reinstated (T or F)

A

False. Should be

48
Q

In Key Concepts of IAM - Authorization subprocess: Requests should be checked for valid granted approvals. Lack of approvals/ incorrect authorization requests should be______ at the ___ ____ stage

A

blocked; access request

49
Q

In Key Concepts of IAM - __________ requests passing through the 1AM process should be validated for ___ ___ checking. Requests that fail the SoD check should be blocked at the ___ ___ ___

A

All requests; SoD Policy; access request stage

50
Q

In Key Concepts of IAM - Privilege Access: ______ ____ must be in place

revalidation of privilege accounts must be conducted on a ____ basis

At a minimum, non validated should be terminated/ locked in ___ working day or max __ days

A

documented processes; quarterly;1;5

51
Q

In Key Concepts of IAM - Dormant accounts: All accounts without an owner or custodian need to be identified and highlighted so that they can be what?

A

Assigned or removed

Information Security Management (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions