CISSP - Access Control - Course
What are the 6 things effective authorization depend on?
- The principle of least privilege - The need-to-know principle - compartmentalization - use of security domains - correct identification of roles - separation of duties and responsibilities
What are the characteristics of access control?
- They help ensure the confidentiality, integrity, and availability of information. - They specify which subjects can't access objects.
What does the use of security domains mean?
A security domain is a compartmentalized grouping that contains all of the objects that a subject may access. The domain is governed by a single security policy and set of trusts. Subjects and objects may be part of the several security domains. These domains are structured hierarchically, so that domains with high privileges are protected from the lower-level domains and subjects may only access objects in equal or lower domains.
what does accessibility refer to
Acceptability refers to user acceptability of the system based on privacy and ease of use.
What is integrity?
Access control provides integrity of information, which ensures that information is complete, accurate, and protected from unauthorized modification.
The types of access controls can be grouped into three main categories what are they?
Administrative Technical Physical
What is the need-to-know principle?
Building on the principle of least privilege is the need to know principal. This principle specifies that you should assign users access only to information they need to fulfill job or business requirements. Applying this principle minimizes the number of subjects with access to specific resources and so reduces the risk of breaches in security.
What is compartmentalization?
Compartmentalization is a process that separates specific groups, either physical or logical, to prevent flows of information moving between the groups.
...
Computer controls prevent the theft of computer parts and removable storage devices to prevent the copying of confidential information. Cables sheets also protect information from it what you call interference, crimping, and sniffing.
What is confidentiality?
Confidentiality of information ensures that information is protected from unauthorized access and disclosure. Access controls specify who can access the information and what actions can be performed after accessing it. Access controls, such as encryption and transmission protocols, provide confidentiality of information.
These are some of the technical access control technologies
Controlled user interface. Passwords. Firewalls. Routers that connect networks. Antivirus software. Access control lists. Intrusion detection systems. Smart cards Biometrics
...
Data backups help to ensure information access in case subsystem though years or natural disasters.
administrative access control techniques include:
Effective hiring practices. Effect of termination practices. Classification of data based on its level of sensitivity. Supervision of employees and tracking of employee activities. Separation of duties so that no single individual is solely responsible for a task. Rotation of duties to limit the time of for which individuals are assigned to a particular task, which in turn minimizes the potential for collusion.
What is enrollment time?
Enrollment time is the time taken to register biometric characteristics to be used as the basis for authentication
Information classification involves three critical activities , what are they?
Establishing an information classification program. Labeling and marking media. Obtaining assurance that classification is occurring correctly.
what are the three key performance measures in the authentication
FRR - false rejection rate FAR - false acceptance rate CER - crossover error rate
list behavioral and physiological biometrics in order of quality
Iris scanning retinal scanning hand geometry fingerprint verification voice pattern recognition facial scanning signature dynamics keyboard dynamics
What are characteristics of a successful information classification program?
It has a clear policy document. It has documented process flows and standardized templates. It has clear objectives and management support.
What do physical access controls include?
Network and work-area segregation Perimeter and computer security controls cable control data backups
a sound infrastructure for an information classification program depends on what four key elements?
Objectives. Executive manager. Information classification policy document. Process flow chart.
Which are examples of criteria that knowledge-based authentication methods may use to authenticate users?
Pass phrases. Pins. Passwords.
...
Personnel controls define what's expected of employees when using organizational resources and the consequences of noncompliance. They include the organizational hierarchy that defines who employees should report to and who is held responsible for employees actions.
...
Policies and procedures defined the high-level plan for implementing security, identifying unacceptable actions based on the level of risk and organization can accept.
Which are critical activities for ensuring effective information classification?
Running periodic audits of policies, processes, and practices. Labeling media with classification levels. Developing a companywide program.
...
Security awareness training helps educate employees about access control usage to minimize unintentional breaches and access control.
Effective user authentication applies to "need to know" principle, and the principles of compartmentalization and security domains. What else must you do to ensure secure user authentication?
Separate duties and responsibilities. Assign users the minimum privileges they require to do their jobs. Identify roles and the people filling them.
...
The periodic testing of access controls helps check their effectiveness in supporting the security policy of an organization.
What is the principle of least privilege?
The principle of least privilege dictates that you assign users the minimum set of privileges they require to do their jobs, according to their roles.
Which are examples of administrative access control techniques?
The rotation of duties among employees. The definition of security policies and procedures, and classification of data based on its sensitivity. Effective hiring and termination practices.
What does separation of duties and responsibilities mean?
The separation of duties and responsibilities and insurers that no single individual is solely responsible for performing a set of transactions.
what is throughput rate
Throughput rate is the rate at which a system identifies, authenticates, and processes users.
What is availability?
To perform tasks effectively, subjects need information and resources to be available promptly. Control mechanisms, such as fault tolerance and recovery, ensure the availability of resources.
what are the three types of authentication
Type 1 - Something you know. Type 2 - Something you have. Type 3 - Something you are.
What does correct identification of roles refer to?
You need to know the rules of users, data owners, and custodians, in which subjects are assigned to these roles. Users are the subjects that require objects to perform tasks. Data owners classified data and determine access controls for proper data handling. Custodians take care of data backups according to the instructions and data owners provide.
...
administrative controls include security policies and procedures, personnel controls, security awareness training, and periodic testing of controls.
What are the 3 security principles?
availability integrity confidentially
What are examples of objects?
files databases computers printers storage devices
What do physical access control techniques include?
guards fences motion detectors door and window locks cable sheaths computer locks swipe cards and badges guard dogs video cameras alarms
What do you have to do upon Employee termination?
if an employee leaves an organization, you need to disable the employees account, change passwords for equipment, and manually remove the employees access to system accounts.
What do you have to do upon Intrusion detection?
if information entering a system is detected as hostile, the access rights of the source of the information to the system must be dynamically revoked.
...
network and work area segregation in forces access controls on entry and exit to the network or area. Additionally, perimeter security controls help protect individuals, facilities, and components within facilities.
what are some examples of useful categories for security?
public internal use confidential restricted
What are examples of subjects?
users programs computers files databases