Читаем CISSP Practice полностью

Occurs when a user can access a system’s resources that he is authorized to access, no more or no less. It assumes that users have certain rights, obligations, and limitations and that they must adhere to the rules of behavior (ROB) at all times in order to keep their entitlement in honesty and integrity. For example, internal users must not misuse or abuse their access rights because they can modify data and cause damage to computer systems and IT assets similar to hackers.

User entitlement operates based on the principles of access control lists, access profiles, access levels, and access types (read, write, execute, append, modify, delete, or create), and access accountability. Users must understand the user entitlement rules, which are follows:

Users are assigned with specific roles and de-roles based on their job duties and responsibilities

User capabilities are revoked from roles and as such are revoked from users

Objects can be assigned to object groups based on secrecy levels of the objects

Object groups are organized according to the business functions of an organization

User ID

A unique symbol or character string used by a system to identify a specific user.

User interface

A combination of menus, screen design, keyboard commands, command language, and help screens that together create the way a user interacts with a computer. Hardware, such as a mouse or touch screen, is also included. Synonymous with graphical user interface (GUI).

User profile

Patterns of a user’s activity used to detect changes in normal routines.

Utility computing

Based on the concept of “pay and use” with regards to computing power in the form of computations, storage, and Web-based services, similar to public utilities (such as, gas, water, and electricity). Utility computing is provided through “on demand” computing and supports cloud computing, grid computing, and distributed computing (Wikipedia).

Utility program

(1) A computer program that supports the operation of a computer. Utility programs provide file management capabilities, such as sorting, copying, archiving, comparing, listing, and searching, as well as diagnostic routines that check the health of the computer system. It also includes compilers or software that translates a programming language into machine language. (2) A computer program or routine that performs general data and system-related functions required by other application software, the operating system, or users. Examples include copy, sort, or merge files. (3) It is a program that performs a specific task for an information system, such as managing a disk drive or printer.

V

Valid password

A personal password that authenticates the identity of an individual when presented to a password system or an access password that allows the requested access when presented to a password system.

Validation

(1) The performance of tests and evaluations in order to determine compliance with security specifications and requirements. (2) The process of evaluating a system or component (including software) during or at the end of the development process to determine whether it satisfies specified requirements. (3) The process of demonstrating that the system under consideration meets all respects the specification of that system.

Value-added network (VAN)

A network of computers owned or controlled by a single entity used for data transmission (e.g., EDI and EFT), electronic mail, information retrieval, and other functions by subscribers. EDI can be VAN-based or Web-based.

Variable minimization

A method of reducing the number of variables which a subject has access, not exceeding the minimum required, thereby reducing the risk of malicious or erroneous actions by that subject. This concept can be generalized to include data minimization.

Vendor governance

Requires a vendor to establish written policies, procedures, standards, and guidelines regarding how to deal with its customers or clients in a professional and business-like manner. It also requires establishing an oversight mechanism and implementing best practices in the industry. Customer (user) organizations should consider the following criteria when selecting potential hardware, software, consulting, or contracting vendors.

Experience in producing or delivering high quality security products and services on-time and all the time

A track-record in responding to security flaws in vendor products, project management skills, and cost and budget controls

Methods to handle software and hardware maintenance, end-user support, and maintenance agreements

The vendor’s long-term financial, operational, and strategic viability

Adherence to rules of engagement (ROE) during contractual agreements, procurement processes, and red team testing

Verification