Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
19 Cards in this Set
- Front
- Back
|
What is Information Security Triad?
|
Confidentiality - prevents unauthorized disclosure of sensitive data.
Integrity - guarantees that data and resources are accurate and reliable. Availability - the timely and reliable access to data and resources by authorized users |
|
|
What is access control?
|
Access control is a security mechanism that prevents unauthorized access to facilities, systems, network resources, and information.
KEY: Access is usually applied based on a user's position/job or a list of rules defining access privileges |
|
|
What are the Access Control goals?
|
Controlling access to data and systems prevents unauthorized users from viewing, modifying, or deleting information. It also prevents authorized users from accidentally modifying or deleting data from a computer network.
|
|
|
What is Separation of Duties?
|
It refers to Access Control and dividing tasks between different people to complete a business process. This helps prevent fraud and unauthorized access to data. Example. One person enters payroll and another prints the checks.
|
|
|
What are the three categories of Access Control?
|
Administrative Controls - policies, procedures, security awareness training, background investigations
Physical Controls - Includes perimeter security, network separation, data backups, computer controls, lock boxes Technical Controls - Antivirus software, encryption, transmission protocols, network architecture, passwords, intrusion detection and network access |
|
|
List the Access Control Types
|
Preventive-prevent destruction to property, info/resources
Detective-identify and react to security violations Corrective-used to restore systems that are attacked Deterrent-Implemented to discourage violations tosecurity Recovery-used to restore capabilities and resources Compensation-Established to provide alternatives to other controls |
|
|
What is Mandatory Access Control?
|
MAC is a model that bases access decisions on rules and security labels which consist of a classification and category. MAC is used in areas such as military organizations. In MAC a users security clearance must match the data's security label or access is denied
|
|
|
What is Rule Based?
|
Refers to MAC. A rule based model is an access control model in which rules determine an individual's ability to access data and systems. The admin sets the rules and users cannot modify them.
|
|
|
What is a Security Label?
|
Refers to MAC. It consists of a classification and a category. In the military "top secret" or "confidential" is a label. It enforces a "need to know" rule. They also perform a 'need to know' to perform a task in order to access secret data.
|
|
|
What is Discretionary Access Control?
|
DAC is a model that bases access decisions on who owns the data. Resource owners specify the levels of access users are given. This may user ACL (Access Control List) that specifies which users have what priveledges. An Access Control Matrix is a tabular display of access held by users to an object.
|
|
|
What is ACL?
|
Refers to DAC. Access Control List specifies which users have what privileges to a resource. It is bound to an object. This is a basic level of network security. Many OSes, applications, and routers user ACLs.
|
|
|
What is Access Control Matrix?
|
Refers to DAC. It displays the access held by users to an object. Each entry displayed in columns and rows represents the type of access. It is a precise way to illustrate users who are permitted to access data.
|
|
|
What are permissions?
|
Refers to DAC. Permissions are also referred to as rights. Users are granted read, write and execute permissions to files or folders.
|
|
|
What is Non-Discretionary Access?
|
It is is model that bases access decisions on a user's position and job function. It requires the definition of common attributes for each position and the access level. Includes Role Based, Capability Tables
|
|
|
What is Role Based?
|
Refers to Non-Discretionary Access Control. Is an access control model in which job roles determine a person's access to data/systems. Also referred to as RBAC. Easy to maintain and manage for companies with high turn-over.
|
|
|
What is Capability Table?
|
Refers to Non-Discretionary Access Control. Contains references to subject an displays what objects that subject can access. Presented in columns and rows display individual ACLs.
|
|
|
What does Control Data Access do?
|
It provides authorized access to those who need it, when they need it, while protecting your organization's information resources
|
|
|
What guidelines should you follow to control data access for your organization?
|
availability requirements - assess accuracy requirements + determine physical, technical and administrative constraints
integrity requirements -prevent modification by unauthorized users, unintentional modification, preserve internal/external data consistency Consider the confidentiality -is the info sensitive? what degree of sensitivity? |
|
|
What weight is applied to data confidentiality, integrity and availability?
|
It will vary depending on the organization's security policy and the type of data requiring protection.
|
