Access Control and Security Lecture Notes

Flashcards about Access Control

What is Access Control?

Policy-driven control of access to systems, data, and dialogues.

What are the three functions of Access Control?

Authentication, Authorization, and Auditing.

What is Authentication in the context of Access Control?

Assessing the identity of each individual claiming to have permission to use a resource.

What is Authorization in the context of Access Control?

Specific permissions that an authenticated user should have, given their authenticated identity.

What is Auditing in the context of Access Control?

Collecting information about an individual’s activities in log files.

What is Two-Factor Authentication (2FA)?

A security process requiring two different authentication factors to verify users.

What is Multifactor Authentication (MFA)?

A login process requiring multiple methods of authentication from independent categories.

What is Individual Access Control?

Access control rules that apply to individual users and devices, defining specific permissions for each entity.

What is Role-based Access Control?

Determines common sets of permissions enforced to entities with similar objectives and privileges.

What is Mandatory Access Control?

Departments cannot alter access control rules set by higher authorities.

What is Discretionary Access Control?

The department has discretion over giving access to individuals, within policy standards set by higher authorities.

What is Multilevel Security?

Rate documents by sensitivity (public, sensitive but unclassified, secret, top secret).

What does ISO/IEC 9.1 (Secure Areas) concern?

Securing physical areas, including buildings, equipment rooms, and office areas.

What are the key controls in ISO/IEC 9.1 regarding physical security?

Securing the building physical perimeter, controlling entry points, and implementing physical entry controls.

What are the key considerations for public access, delivery, and loading areas under ISO/IEC 9.1?

Limit internal people's access, inspect incoming shipments, and separate outgoing shipments.

What are the key considerations for securing offices, rooms, and facilities under ISO/IEC 9.1?

Locate sensitive areas away from public access and control entry using locks or access cards.

What are the key considerations for protecting against external and environmental threats under ISO/IEC 9.1?

Locate hazardous materials away from sensitive areas and ensure adequate firefighting equipment.

What are the rules for working in a secure area according to ISO/IEC 9.1?

Implement special rules for people working in secure areas, and ensure areas are locked and checked periodically.

What are the key considerations for equipment siting and protection under ISO/IEC 9.2?

Place sensitive equipment in secure areas to minimize access and protect against environmental threats.

What supporting utilities should be considered under ISO/IEC 9.2?

Electricity, water, HVAC, uninterruptible power supply (UPS), and backup generator.

What are the key considerations for security during off-site equipment maintenance under ISO/IEC 9.2?

Maintain equipment according to specifications, and authorize off-site maintenance.

What are the key considerations for secure disposal or reuse of equipment under ISO/IEC 9.2?

Ensure sensitive data is removed before disposal, and property removal is properly authorized.

What is a reusable password?

It is used for weeks or months at a time.

What is a one-time password?

It is only used once.

What are important password policies?

Not using same passwords at multiple sites, password duration policies, and policies prohibiting shared accounts.

What constitutes a strong password?

At least eight characters long, with mixed case, digits, and non-alphanumeric characters.

Why must all passwords be stored using a secure hashing algorithm and regularly tested?

Ensure they are not easily cracked.