Skip to content

Latest commit

 

History

History
172 lines (122 loc) · 6.17 KB

File metadata and controls

172 lines (122 loc) · 6.17 KB

Domain 3: Access Controls Concepts

How to Use This Domain

Use this domain to understand how access is granted, controlled, monitored, and reviewed. Access control is one of the most important security areas because unauthorized access can lead to data exposure, system compromise, fraud, and operational risk.

Section 1: Physical Access Controls

What You Should Understand

Physical access controls protect facilities, rooms, equipment, people, and physical records. Cybersecurity is not only digital. If someone can enter a secure room or access a device physically, they may bypass technical controls.

Key Concepts

  • Physical security controls prevent unauthorized physical entry.
  • Monitoring helps detect unauthorized access.
  • Logs and badges create accountability.
  • Environmental design can reduce security risk.
  • Authorized personnel should be clearly distinguished from unauthorized visitors.

Important Terms

  • Badge system - Identification and access card system.
  • Gate entry - Controlled entry point.
  • CCTV - Camera monitoring system.
  • Alarm system - Detects and alerts on unauthorized access.
  • Mantrap - Controlled space with two doors to restrict entry.
  • Tailgating - Following an authorized person into a restricted area.
  • Visitor log - Record of visitors and access details.

What To Practice

  • Identify physical controls in an office building.
  • Explain how tailgating can bypass access control.
  • Create a visitor access procedure.

Quick Check

  1. Why are physical controls part of cybersecurity?
  2. What is tailgating?
  3. How does CCTV support security?
  4. Why are visitor logs useful?
  5. What is a mantrap?

Section 2: Logical Access Controls

What You Should Understand

Logical access controls manage access to systems, applications, networks, and data. They help ensure that only authorized users can perform approved actions.

Key Concepts

  • Identification claims an identity.
  • Authentication proves identity.
  • Authorization grants access based on permissions.
  • Accounting records user activity.
  • Least privilege gives users only the access needed.
  • Separation of duties prevents one person from having too much control.

Important Terms

  • Identification - Claiming who you are.
  • Authentication - Proving who you are.
  • Authorization - Determining what you can access.
  • Accounting - Recording what actions were performed.
  • AAA - Authentication, Authorization, and Accounting.
  • Least privilege - Minimum access required.
  • Separation of duties - Splitting sensitive tasks across multiple people.

What To Practice

  • Explain identification, authentication, and authorization using login examples.
  • Identify least privilege violations in sample user access lists.
  • Explain why accounting logs matter for investigations.

Quick Check

  1. What is the difference between authentication and authorization?
  2. What does accounting provide?
  3. Why is least privilege important?
  4. What is separation of duties?
  5. What does AAA stand for?

Section 3: Identity and Access Management

What You Should Understand

Identity and Access Management, or IAM, manages user accounts, roles, permissions, authentication, and account lifecycle. IAM helps organizations control who has access to what.

Key Concepts

  • User provisioning creates accounts and assigns access.
  • Deprovisioning removes access when no longer needed.
  • Privileged accounts need stronger controls.
  • MFA reduces the risk of stolen passwords.
  • Password policies should support strong authentication.
  • Access reviews verify that permissions are still appropriate.

Important Terms

  • IAM - Identity and Access Management.
  • Provisioning - Creating access.
  • Deprovisioning - Removing access.
  • Privileged account - Account with elevated permissions.
  • MFA - Multi-factor authentication.
  • Access review - Periodic check of user permissions.
  • Orphaned account - Account no longer tied to a valid user.

What To Practice

  • Build a joiner, mover, leaver access checklist.
  • Identify risks from stale or orphaned accounts.
  • List controls for privileged administrator accounts.

Quick Check

  1. Why is deprovisioning important?
  2. What is a privileged account?
  3. Why are access reviews needed?
  4. How does MFA reduce account risk?
  5. What is an orphaned account?

Section 4: Access Control Models

What You Should Understand

Access control models define how permissions are assigned and enforced. The CC exam expects basic understanding of common models and when they are used.

Key Concepts

  • DAC gives resource owners control over access.
  • MAC uses centrally managed security labels.
  • RBAC grants permissions based on job roles.
  • ABAC grants access based on attributes such as user, resource, action, and context.
  • Rule-based access uses defined rules such as time, location, or network condition.

Important Terms

  • DAC - Discretionary Access Control.
  • MAC - Mandatory Access Control.
  • RBAC - Role-Based Access Control.
  • ABAC - Attribute-Based Access Control.
  • Rule-based access - Access controlled by predefined rules.
  • Permission - Approved action on a resource.

What To Practice

  • Match DAC, MAC, RBAC, and ABAC to examples.
  • Explain why RBAC is common in organizations.
  • Identify access rules for remote login.

Quick Check

  1. Which model is based on job roles?
  2. Which model uses centrally controlled labels?
  3. Which model lets owners manage access?
  4. Which model uses attributes and context?
  5. Why is RBAC easier to manage than assigning access user by user?

Domain Review Checklist

  • I can explain physical access controls.
  • I understand monitoring, badges, CCTV, alarms, and visitor logs.
  • I can explain identification, authentication, authorization, and accounting.
  • I understand least privilege and separation of duties.
  • I can describe IAM account lifecycle.
  • I understand privileged account risk.
  • I can compare DAC, MAC, RBAC, ABAC, and rule-based access.

Quick Revision

Access control protects systems, data, and physical spaces by ensuring only authorized users can access approved resources. Strong access control uses physical safeguards, logical permissions, IAM processes, MFA, least privilege, access reviews, and appropriate access control models.