Domain 5

Question 1

Access Control System

Answer 1

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Question 2

Access Control Tokens

Answer 2

The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday or other condition used for controlling validation.

Question 3

Accounting

Answer 3

Access control process which records information about all attempts by all identities to access any resources of the system. See also authentication, authorization.

Question 4

Attribute- based Access Control (ABAC)

Answer 4

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

Question 5

Authentication

Answer 5

Access control process that validates the identity being claimed by a user or entity is known to the system, by comparing one or more factors of identification. Factors typically include something the user is, something they have and something they know (such as a fingerprint, a hardware questions). Single-factor (SFA) authenticates with only one of these; multi-factor (MFA) uses two or more. security token and answers to challenge

Question 6

Authorization

Answer 6

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have.

Question 7

Crossover Error Rate (CER)

Answer 7

This is the point at which the false acceptance (or Type 2) error rate equals the false rejection (Type 1) error rate, for a given sensor used in a given system and context. This is only the optimal point of operation if the potential impacts of both types of errors are equivalent.

Question 8

Data Custodian, Custodian

Answer 8

The individual who manages permissions and access on a day-to-day basis based on instructions from the data owner. Responsible for protecting an asset that has value, while in the custodian’s possession.

Question 9

Data Owner/ Data Controller

Answer 9

The individual or entity who is responsible to classify, categorize and permit access to the data. The data owner is the one who is best familiar with the importance of the data to the business.

Question 10

Data Processor

Answer 10

Any entity, working on behalf or at the direction of the data controller, that processes personally identifiable information (PII).

Question 11

Discretionary Access Control (DAC)

Answer 11

Access control in which the system owner decides who gets access.

Question 12

Ethical Wall

Answer 12

The separation of information, assets or job functions to establish and enforce need to know boundaries or prevent conflict of interest situations from arising. The use of administrative, physical and/ or logical controls to establish, maintain and monitor such separations. Also known as a compartment.

Question 13

False Acceptance Rate (FAR or Type 2)

Answer 13

Incorrectly authenticating a claimed identity as legitimate and recognized and granting access on that basis.

Question 14

False Rejection Rate (FRR or Type 1)

Answer 14

Incorrectly denying authentication to a legitimate identity and thus denying it access.

Question 15

Granularity of Controls

Answer 15

Level of abstraction or detail at which a security function can be configured or tuned for performance and sensitivity purposes.

Question 16

Identity as-a- Service (IDaaS)

Answer 16

Cloud-based services that broker IAM functions to target systems on customers’ premises and/or in the cloud.

Question 17

Identity Proofing

Answer 17

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential or other special privilege is indeed who they claim to be and establishing a reliable relationship that can be trusted electronically between the individual and said credential for purposes of electronic authentication.

Question 18

Logical Access Control System

Answer 18

Automated systems that authorize or deny access to and use of an information system and its assets to an individual user, based on verification that the identity presented matches that which was previously approved.

Question 19

Mandatory Access Controls (MAC)

Answer 19

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Question 20

Multi-factor Authentication (MFA)

Answer 20

Ensures that a user is who they claim to be. The more factors used to determine a person’s identity, the greater the trust of authenticity.

Question 21

Open Authorization (OAuth)

Answer 21

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Question 22

Privilege Creep

Answer 22

The unnecessary accumulation of access privileges by a user, typically due to failing to remove privileges when they are no longer needed.

Question 23

Self-Service Identity Management

Answer 23

Elements of the identity management lifecycle and provisioning process, which the end user (the identity in question) can initiate or perform with little or no interaction or assistance from administrators. Examples include password resets, postal address updates or changes to challenge questions and answers.

Question 24

Single-Factor Authentication (SFA)

Answer 24

Involves the use of simply one of the three available factors solely to carry out the authentication process being requested.

Question 25

Whaling Attack

Answer 25

Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities.