Читаем CISSP Practice полностью

A judicious and carefully considered assessment that an IT activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of IT assets, threats and vulnerabilities, countermeasures and their efficacy in compensating for vulnerabilities, and operational requirements.

Acceptable risk

A concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls.

Access aggregation

Combines access permissions either in one system or multiple systems for system user or end-user convenience and efficiency and to eliminate duplicate and unnecessary work. Access aggregation can be achieved through single-sign on system (SSO), reduced sign-on system (RSO), or other methods. Note that access aggregation must be compatible with a user’s authorized access rights, privileges, and permissions and cannot exceed them because of an “authorization creep” problem, which is a major risk. Access aggregation process must meet the following requirements:

Support for the separation of duty concept to avoid conflict of interest situations (administrative)

Support for the principles of least privilege and elimination of authorization creep through reauthorization

Support for the controlled inheritance of access privileges

Support for safety through access constraint models such as static and dynamic separation of duties (technical)

Support for safety so that no access permissions can be leaked to unauthorized individuals, which can be implemented through access control configurations and models

Support for proper mapping of subject, operation, object, and attributes

Support for preventing or resolving access control policy conflicts resulting in deadlock situation due to cyclic referencing

Support for a horizontal scope of access controls (across platforms, applications, and enterprises)

Support for a vertical scope of access controls (between operating systems, database management systems, networks, and applications)

Access authority

An entity responsible for monitoring and granting access privileges for other authorized entities.

Access category

One of the classes to which a user, a program, or a process may be assigned on the basis of the resources or groups of resources that each user, program, or process is authorized to use.

Access control

(1) What permits or restricts access to applications at a granular level, such as per-user, per-group, and per-resources. (2) The process of granting or denying specific requests for obtaining and using information and related information processing services and to enter specific physical facilities (e.g., buildings). (3) Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space. (4) Enables authorized use of a computer resource while preventing unauthorized use or use in an unauthorized manner. (5) Access controls determine what the users can do in a computer system. (6) Access controls are designed to protect computer resources from unauthorized modification, loss, or disclosure. (7) Access controls include both physical access controls, which limit access to facilities and associated hardware, and logical access controls, which prevent or detect unauthorized access to sensitive data and programs stored or transmitted electronically.

Access control list (ACL)

A register of (1) users (including groups, machines, programs, and processes) who have been given permission to use a particular system resource and (2) the types of access they have been permitted. This is a preventive and technical control.

Access control matrix

A table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.

Access control measures and mechanisms

Hardware and software features (technical controls), physical controls, operational controls, management controls, and various combinations of these designed to detect or prevent unauthorized access to an IT system and to enforce access control. This is a preventive, detective, and technical control.

Access control policy

The set of rules that define the conditions under which an access may take place.

Access control software