Domain 3 Flashcards
Access Control Concepts
Audit
Domain 3
independent review/examination of records/activities to assess the adequacy of system controls, to ensure compliance with established policies & operational procedures
review & assessment by an independent party of all documentation & system controls. verifies if the system follows set standards
CPTED
Domain 3
Architectural approach to the design of buildings & spaces which emphasizes passive features to reduce the likelihood of criminal activity
Crime Prevention through Environment Design
Style of architectural design that centers on purposefully guiding behavior with the specific goal of reducing potential crime. Aka “hostile architecture”. e.g. mantrap
Defense in Depth
Domain 3
Information security strategy integrating people, technology, & operations capabilities to establish variable barriers across multiple layers & missions of the organization
Cybersecurity concept of utilizing all of an organization’s resources to establish “multiple countermeasures in a layered or stepwise manner to achieve security objectives” NISTIR 8183
DAC
Domain 3
Access control is left to discretion of the object’s owner/authorized entity to determine which rights entities can have
Discretionary Access Control
The owner (or anyone with equal levels of authorization) can use their own judgement to define the access rights each subject has
Encrypt
Domain 3
protect private information by formatting the data into a form to only be read by those with permission
permission = those with the cipher to decrypt the information
disguising, obscuring, &/or converting classified information in a way that only permits authorized entities to access it
Firewalls
Domain 3
Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules
Can be software-only or “dedicated hardware”-software hybrid
network security system that restricts/filters internet traffic by selectively blocking/allowing data packets
Insider Threat
authorized entity who can cause harm through destruction, disclosure, modification of data &/or denial of service
when something with authorized access uses that access to cause harm to the system
iOS
operating system manufactured by Apple for mobile
Layered Defense
multiple controls arranged to provide several consecutive controls to protect an asset. “Defense in Depth”
Linux
open source OS
Log Anomaly
identified system irregularity in log entries
Logging
collecting/storing user activities in a log
Logical Access Control Systems
automated system that controls an individual’s ability to access one+ computer system resources. Requires validation of individual’s identity
MAC
Mandatory Access Control. Access control system implemented at a system administrator level where the system itself manages access controls within security policies that cannot be adjusted for discretionary reasons (e.g. Government classification)
Mantrap
entrance to a building where people must pass through two sets of doors, with only one set being able to open at a time (creating a “box” that can trap anyone in-between the doors)
Object
passive information system-related entity that contains/receives information (devices, files, records, tables, processes, programs, domains). “Subject-Object” relationship.
Physical Access Controls
controls implemented through a tangible mechanism (e.g. walls, fences, guards, locks, etc)
Principle of Least Privilege
principle that user/programs should only have the minimum privileges necessary
Privileged Account
IS account with approved authorizations of a privileged user
Ransomware
malicious software that locks data/system from user until money is paid
RBAC
Role-Based Access Control. User permissions is set by roles, based on job duties, which determine the scope of the user’s authorizations. Most efficient for high-rates of turnover while enforcing the concept of least privilege & reducing privilege creep
Rule
instruction developed to allow/deny access to system by comparing validated identity to an access control list
Segregation of Duties
ensuring organization processes cannot be completed by a single person. “Separation of Duties”
Subject
individual, process, or device causing information to flow among objects/change to the system state
