Conducting a risk analysis
Defining who can access a given system or information
Performing a business impact analysis
Obtaining top management support
Access controls are a collection of technical controls that permit access to authorized users, systems, and applications.
Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.
Access control is the employment of encryption solutions to protect authentication information during log-on.
Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.
Discretionary access control
Separation of duties
Rotation of duties
Detective, corrective, monitoring, logging, recovery, classifi cation, and directive
Directive, deterrent, preventative, detective, corrective, compensating, and recovery
Authorization, identifi cation, factor, corrective, privilege, detective, and directive
Identifi cation, authentication, authorization, detective, corrective, recovery, and directive
Administrative, physical, and technical
Identifi cation, authentication, and authorization
Mandatory, discretionary, and least privilege
Access, management, and monitoring
Rainbow table attack
Something you know
Something you have
Something you are
A combination of two listed above
Single point of failure
Asymmetric key compromise
Use of dynamic passwords
Limited lifetimes for authentication credentials
Need to know
Resistance to counterfeiting
Reliability and accuracy
Is unique to mandatory access control
Is independent of owner input
Is based on user job functions
Can be compromised by inheritance
Another name for access controls
A set of technologies and processes intended to off er greater effi ciency in the management of a diverse user and technical environment
A set of technologies and processes focused on the provisioning and decommissioning of user credentials
A set of technologies and processes used to establish trust relationships with disparate systems
Consistent time-out enforcement across platforms
A compromised password exposes all authorized resources
Use of multiple passwords to remember
Password change control
Privileges associated with each system, service, or application, and the defi ned roles within the organization to which they are needed, should be identified and clearly documented.
Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role
An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.
Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.