User Access Controls

Question 1

What’s an Access Control List (ACL)?

Answer 1

A table of access rules for computers or systems and the user IDs or assets allowed to access them.

Question 2

What’s and Access Control Entry (ACE)?

Answer 2

A single record in an ACL.

Question 3

What’s a Discretionary Access Control List (DACL)?

Answer 3

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.

Question 4

What’s a Directory Management System?

Answer 4

The collection of software, hardware, and processes that store information about an enterprise, subscribers, or both, and makes that information available to users.

Question 5

What are some technology controls for Directory management?

Answer 5

• Access Control Entries (ACEs)
• Access Control Lists (ACLs)

Question 6

What are some process controls for Directory Management?

Answer 6

• Policies for setting permissions
• Understanding permission inheritance

Question 7

What’s the definition of Principle of Least Privilege?

Answer 7

Giving a user account only those privileges which are essential to perform its intended functions.

Question 8

What are some technology controls for Authorization?

Answer 8

• Identity and Access Management (IAM) applications
• Directory management
• Privileged account management tools
• “Approval before access” controls
• Logging and retention of approved data certification
• Identity management (system)
• Information flow enforcement
• Software licensing

Question 9

What are some process controls for Authorization?

Answer 9

• Onboarding and role changes
• Approval processes and workflows
• Designation of approvers and delegates
• Audit of entitlements
• Identity management (manual)

Question 10

What are some technology controls for Authentication and access?

Answer 10

• Identity and access management (IAM) tools
• Privileged account management (PAM) tools
• VPN access
• Password vault

Question 11

What are some process controls for Authentication and access?

Answer 11

• Access control governance, policies and procedures
• Authorization/access control matrix management
• User provisioning and de-provisioning policies and processes
• Regularly scheduled access audits
• Change approval boards and processes

Question 12

What are some technology controls for Privileged account management?

Answer 12

• Identity and access management (IAM) tools
• Privileged account management (PAM) tools
• VPN access
• Password vault

Question 13

What are some process controls for Privileged account management?

Answer 13

• Policies and procedures
• Authorization matrix management
• Change approval boards and processes

Question 14

What is “user access requirements”?

Answer 14

what is needed for secure, successful, and value-adding user access needs.

Question 15

What are some technology controls for System user?

Answer 15

• Enforced password criteria compliance
• Automated warnings, spam filters
• Anti-virus and anti-malware software
• Password vault/manager

Question 16

What are some process controls for System user?

Answer 16

• Policies and procedures related to employee behaviors
• Anti-reflective monitor screens
• Locking screens when leaving workstation
• Not writing down passwords
• Education campaigns
• Audits and spot checks