Domain 3 Flashcards
What is Access Control?
The process of granting or denying specific requests to access information and information systems.
What is Authentication?
The process of verifying the identity of a user, system, or entity.
What is Authorization?
The process of determining what resources a user or system is allowed to access after authentication.
What is Accounting (or Auditing)?
The process of tracking user activities and system activities for security and compliance purposes.
What is Identification?
The process where a user claims an identity, typically using a username or ID.
What is Multi-Factor Authentication (MFA)?
Authentication using two or more different types of factors: something you know, have, or are.
What are the three common authentication factors?
Something you know (password), something you have (token), something you are (biometrics).
What is the Principle of Least Privilege?
A concept where users are granted only the access necessary to perform their job functions.
What is Separation of Duties?
A security practice where critical tasks are divided among multiple individuals to prevent fraud or error.
What is Single Sign-On (SSO)?
An authentication process that allows a user to access multiple applications with one set of login credentials.
What is an Access Control List (ACL)?
A list that defines permissions attached to an object, specifying who can access it and what operations they can perform.
What is Role-Based Access Control (RBAC)?
Access control based on a user’s role within an organization.
What is Mandatory Access Control (MAC)?
An access control system where access is based on security labels and classifications, and decisions are enforced by the system, not the user.
What is Discretionary Access Control (DAC)?
An access control model where the owner of the resource decides who has access.
What is Attribute-Based Access Control (ABAC)?
An access control model that grants access based on attributes (characteristics) of the user, resource, and environment.
What is a Biometric Authentication Factor?
An authentication method that uses unique physical characteristics, such as fingerprints or facial recognition.
What is a Token in authentication?
A physical or digital object that provides access to systems, typically generating a time-based or random access code.
What is Single-Factor Authentication?
Authentication that requires only one type of factor, such as a password.
What is Time-Based One-Time Password (TOTP)?
A temporary, time-limited code used for authentication, typically generated by an app or device.
What is Access Provisioning?
The process of creating, modifying, disabling, and deleting user accounts and permissions.
What is Account Management?
The management of user accounts throughout their lifecycle, ensuring appropriate access rights.
What is Credential Management?
Processes and technologies used to issue, manage, and revoke credentials such as passwords or certificates.
What is Privileged Account Management (PAM)?
Managing and monitoring accounts with elevated permissions to ensure security.
What is Password Policy?
Rules that define how passwords must be created, used, and maintained to ensure strong security.
What is a Security Token Service (STS)?
A service that issues security tokens for user authentication and authorization in federated systems.
What is Context-Aware Access?
Access control decisions based on the context, such as location, device, or time of access.
What is Federation in access control?
A process that allows users to access multiple systems across different organizations using a single identity.
What is Identity Provider (IdP)?
A service that creates, maintains, and manages identity information and provides authentication services.
What is Single Logout (SLO)?
A process where logging out of one application also logs you out of all linked applications.
What is Principle of Need-to-Know?
Users should only have access to information necessary to perform their job duties.
What is an Access Control Policy?
A document that defines how access to systems and data is managed and who is authorized.
What is the main goal of access control?
To protect information and systems by ensuring only authorized individuals can access them.
What is Identity and Access Management (IAM)?
The framework of policies and technologies to ensure the right individuals access the right resources at the right times.
What is an example of something you have?
A smartcard or hardware security token.
What is an example of something you know?
A password or PIN.
What is an example of something you are?
A fingerprint or iris scan.
What is the advantage of Single Sign-On (SSO)?
It reduces password fatigue and improves user convenience while maintaining security.
What is an example of Role-Based Access Control (RBAC)?
A doctor automatically gaining access to patient records because of their job role.
What distinguishes Mandatory Access Control (MAC) from Discretionary Access Control (DAC)?
MAC enforces policies at the system level; DAC allows owners to set permissions.
What is an advantage of Attribute-Based Access Control (ABAC)?
More flexible and fine-grained access decisions based on user and environmental attributes.
Why is Multi-Factor Authentication (MFA) stronger than Single-Factor Authentication?
It requires different types of credentials, making unauthorized access harder.
Describe a possible risk of weak account management.
Former employees retaining access to systems and data after departure.
What is an example of context-aware access control?
Allowing access only during business hours from corporate devices.
What is an orphaned account?
An account that remains active after the employee has left the organization.
What is access recertification?
A periodic review process to confirm that users have appropriate access rights.
What is access revocation?
Removing a user’s access rights when they leave the organization or change roles.
What is step-up authentication?
Prompting a user for additional authentication when performing high-risk actions.
Why is it important to enforce strong password policies?
To make passwords harder to guess or crack, enhancing account security.
What is Just-in-Time (JIT) Access?
Granting temporary, time-limited access to resources only when needed.
How does privileged account management (PAM) reduce risk?
By tightly controlling and monitoring the use of administrative or elevated accounts.
