Identity and Access Management

Questions and Answers

What is the primary goal of authentication?

Verifying the identity of a user, device, or system

What type of access control model is based on user roles?

Role-Based Access Control (RBAC)

What is the primary function of a firewall?

Protecting networks from unauthorized access

What is the process of categorizing assets based on sensitivity and criticality?

Asset classification

What is the primary goal of risk management?

Identifying and mitigating risks

What is the process of designing and implementing secure systems?

Security architecture

What is the primary goal of incident response?

Responding to security incidents

What is the process of identifying and remediating vulnerabilities?

Vulnerability management

Study Notes

Identity And Access Management

• Authentication: Verifying the identity of a user, device, or system
  • Factors: Something you know (password), something you have (token), something you are (biometric)
  • Methods: Username/password, smart cards, biometrics, one-time passwords
• Authorization: Granting or denying access to resources based on user identity
  • Access Control Models: Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC)
• Accountability: Tracking and monitoring user activities
  • Auditing, logging, and monitoring user actions

Communication And Network Security

• Network Fundamentals: OSI model, TCP/IP, IP addressing, routing, switching
• Network Security: Protecting networks from unauthorized access
  • Firewalls: Network-based, host-based, application-based
  • VPNs: Site-to-site, remote access, SSL/TLS
• Secure Communication: Protecting data in transit
  • Cryptography: Symmetric, asymmetric, hashing, digital signatures
  • Secure protocols: SSL/TLS, SSH, SFTP

Asset Security

• Asset Classification: Categorizing assets based on sensitivity and criticality
  • Confidentiality, integrity, availability
• Data Protection: Protecting data at rest and in transit
  • Encryption, access controls, backup and recovery
• Media Protection: Protecting physical media and storage devices
  • Sanitization, destruction, disposal

Security And Risk Management

• Risk Management: Identifying, assessing, and mitigating risks
  • Risk assessment methodologies: Qualitative, quantitative, hybrid
• Security Policy: Establishing organizational security policies and procedures
  • Policy development, implementation, and maintenance
• Compliance and Audit: Ensuring adherence to laws, regulations, and standards
  • Compliance frameworks, audit methodologies, audit types

Security Engineering

• Security Architecture: Designing and implementing secure systems
  • Secure design principles, secure protocols, cryptography
• Vulnerability Management: Identifying and remediating vulnerabilities
  • Vulnerability scanning, penetration testing, patch management
• Incident Response: Responding to security incidents
  • Incident response methodologies, incident response teams

Identity And Access Management

• Authentication involves verifying the identity of a user, device, or system using factors such as something you know (password), something you have (token), or something you are (biometric).
• Authentication methods include username/password, smart cards, biometrics, and one-time passwords.
• Authorization grants or denies access to resources based on user identity.
• Access Control Models include Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-Based Access Control (RBAC).
• Accountability tracks and monitors user activities through auditing, logging, and monitoring user actions.

Communication And Network Security

• Network Fundamentals include the OSI model, TCP/IP, IP addressing, routing, and switching.
• Network Security protects networks from unauthorized access using firewalls (network-based, host-based, application-based) and VPNs (site-to-site, remote access, SSL/TLS).
• Secure Communication protects data in transit using cryptography (symmetric, asymmetric, hashing, digital signatures) and secure protocols (SSL/TLS, SSH, SFTP).

Asset Security

• Asset Classification categorizes assets based on sensitivity and criticality, considering confidentiality, integrity, and availability.
• Data Protection protects data at rest and in transit using encryption, access controls, and backup and recovery.
• Media Protection protects physical media and storage devices using sanitization, destruction, and disposal.

Security And Risk Management

• Risk Management identifies, assesses, and mitigates risks using qualitative, quantitative, and hybrid risk assessment methodologies.
• Security Policy establishes organizational security policies and procedures, including policy development, implementation, and maintenance.
• Compliance and Audit ensures adherence to laws, regulations, and standards using compliance frameworks, audit methodologies, and audit types.

Security Engineering

• Security Architecture designs and implements secure systems using secure design principles, secure protocols, and cryptography.
• Vulnerability Management identifies and remediates vulnerabilities using vulnerability scanning, penetration testing, and patch management.
• Incident Response responds to security incidents using incident response methodologies and incident response teams.