10 Questions
What principle should be employed to reduce the risk of malevolent activity without collusion?
Principle of least privilege
What function should non-privileged accounts or roles be used for?
Accessing non-security functions
What is the purpose of limiting unsuccessful logon attempts?
Preventing unauthorized access
What is the purpose of encrypting CUI on mobile devices?
Protecting sensitive information
Which cryptographic mechanisms should be employed to protect the confidentiality of remote access sessions?
Symmetric-key encryption
What does NISTIR 7298 define access control as?
The process of granting or denying specific requests to obtain and use information and related information processing services
According to RFC 4949, what does access control regulate?
Use of system resources according to a security policy
According to SP 800-171, what is one of the basic security requirements for access control?
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices
What is the main focus of access control according to NISTIR 7298?
Limiting access to authorized users only
According to RFC 4949, who are the authorized entities for using system resources?
Authorized users, programs, processes, and other systems
Study Notes
Reducing Malevolent Activity
- Principle of separation of duties should be employed to reduce the risk of malevolent activity without collusion.
Account Usage
- Non-privileged accounts or roles should be used for performing routine, daily tasks.
Logon Attempts
- Limiting unsuccessful logon attempts is done to prevent brute-force attacks and to reduce the risk of unauthorized access.
Protecting CUI
- Encrypting CUI (Controlled Unclassified Information) on mobile devices is done to protect the confidentiality of sensitive information.
Cryptographic Mechanisms
- Cryptographic mechanisms such as SSL/TLS and IPSec should be employed to protect the confidentiality of remote access sessions.
Access Control Definition
- NISTIR 7298 defines access control as the process of granting or denying access to a resource based on a user's identity, authentication, and authorization.
Access Control Regulation
- According to RFC 4949, access control regulates the access of subjects to objects, ensuring that only authorized entities have access to the resources they need.
Basic Security Requirements
- One of the basic security requirements for access control according to SP 800-171 is to limit access to authorized personnel, ensuring that only those with a legitimate need have access to sensitive resources.
Access Control Focus
- The main focus of access control according to NISTIR 7298 is to ensure that access to resources is restricted to authorized individuals, entities, or systems.
Authorized Entities
- According to RFC 4949, authorized entities are individuals, systems, or processes that have been granted access to system resources based on their identity, authentication, and authorization.
Test your understanding of access control definitions as explained in Chapter 4 of 'Computer Security: Principles and Practice Fourth Edition'. This quiz covers the process of granting or denying specific requests to obtain and use information, related information processing services, and to enter specific physical facilities.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
