Computer Security Chapter 4 Access Control Quiz

Questions and Answers

According to NISTIR 7298, access control is defined as:

Regulating use of system resources according to a security policy

Granting or denying specific requests to obtain and use information and related information processing services (correct)

Limiting information system access to authorized users, processes, or devices

Controlling the flow of Controlled Unclassified Information (CUI)

What is the main purpose of access control, based on the given information?

To grant or deny specific requests for information and services

To control the flow of Controlled Unclassified Information (CUI)

To regulate use of system resources according to a security policy

To limit system access to only authorized entities (correct)

Which of the following is a basic security requirement for access control, as per Table 4.1 Access Control Security Requirements?

Limiting information system access to the types of transactions permitted by authorized users

Limiting information system access to authorized users, processes, or devices (correct)

Controlling the flow of Controlled Unclassified Information (CUI)

Regulating use of system resources according to a security policy

According to RFC 4949, access control is a process that regulates use of system resources:

By permitting only authorized entities to use system resources

According to the given text, which security requirement involves controlling the flow of Controlled Unclassified Information (CUI)?

Derived Security Requirement 3

What is the principle of least privilege?

Limiting users' access rights to the bare minimum necessary to perform their work

What is the purpose of using non-privileged accounts or roles when accessing nonsecurity functions?

To prevent non-privileged users from executing privileged functions

What is the purpose of limiting unsuccessful logon attempts?

To prevent unauthorized access through brute force attacks

What is the significance of employing cryptographic mechanisms to protect the confidentiality of remote access sessions?

To protect sensitive information from unauthorized disclosure during remote access

Why is it important to encrypt controlled unclassified information (CUI) on mobile devices?

To prevent unauthorized access and disclosure of CUI if mobile devices are lost or stolen

Study Notes

Access Control

• The main purpose of access control is to regulate the use of system resources.

Access Control Security Requirements

• One basic security requirement for access control is to control the flow of Controlled Unclassified Information (CUI).

Principle of Least Privilege

• The principle of least privilege is a security principle that involves granting users or roles only the privileges needed to perform specific tasks.

Non-Privileged Accounts

• Using non-privileged accounts or roles when accessing non-security functions helps prevent exploitation of elevated privileges by attackers.

Limiting Unsuccessful Logon Attempts

• Limiting unsuccessful logon attempts helps prevent brute-force attacks.

Cryptographic Mechanisms

• Employing cryptographic mechanisms is necessary to protect the confidentiality of remote access sessions.

Encrypting Controlled Unclassified Information

• Encrypting controlled unclassified information (CUI) on mobile devices is important because it helps protect sensitive information from unauthorized access or theft.

Description

Test your understanding of access control principles and definitions from Chapter 4 of the book 'Computer Security: Principles and Practice Fourth Edition'. The quiz includes questions about NISTIR 7298 definitions, granting or denying specific requests to obtain and use information, and entering physical facilities.