2
ISC2 Certified in Cybersecurity Chapter 3 Exam with
|| || || || || || || ||
solutions
A safeguard or countermeasure designed to preserve Confidentiality, Integrity and Availability of
|| || || || || || || || || || || ||
data.
A Control
||
_____ _____ involves limiting what objects can be available to what subjects according to what
|| || || || || || || || || || || || || || ||
rules.
Access Control ||
Access is based on three elements. What are they?
|| || || || || || || ||
1. Subjects
||
2. Objects
||
3. Rules
||
Generally an individual, process or device causing information to flow among objects or change
|| || || || || || || || || || || || || ||
to the system state. NIST SP800-53 R4
|| || || || || ||
Subject
Any entity that request access to our access and is the imitator of a request for service. therefore it
|| || || || || || || || || || || || || || || || || || ||
is referred to as "active".
|| || || ||
Subject
-Is a user, a process, a procedure, a client (or a server), a program, a device such as an endpoint,
|| || || || || || || || || || || || || || || || || || || ||
workstation, smartphone or removable storage device with onboard firmware. || || || || || || || ||
-Is active: it initiates a request for access to resources or services.
|| || || || || || || || || || ||
-Requests a service from an object. || || || || ||
-Should have a level of clearance (permissions) that relates to its ability to successfully access
|| || || || || || || || || || || || || || ||
service or resources. || ||
Subject
Passive information system-related entity (e.g., devices, files, records, tables, processes,
|| || || || || || || || || ||
programs, domains) containing or receiving information. NIST SP 800-53 Rev 4
|| || || || || || || || || ||
Object
, 2
A device process, person, user, program, server, client or other entity that responds to a request for
|| || || || || || || || || || || || || || || ||
service and is passive in that it takes no action until its called upon.
|| || || || || || || || || || || || || ||
Object
-Is a building, a computer, a file, a database, a printer or scanner, a server, a communications
|| || || || || || || || || || || || || || || || ||
resource, a block of memory, an input/output port, a person, a software task, thread or process
|| || || || || || || || || || || || || || ||
-Is anything that provides service to a user.
|| || || || || || ||
-Is passive. ||
-Responds to a request. || || ||
-May have a classification. || || ||
Object
An instruction developed to allow or deny access to a system by comparing the validated identity
|| || || || || || || || || || || || || || || ||
of the subject to an access control list.
|| || || || || || ||
Rule
This might be added to allow access from the inside network to the outside network.
|| || || || || || || || || || || || || ||
Rule
-Compare multiple attributes to determine appropriate access || || || || || ||
-Allow access to an object. || || || ||
-Define how much access is allowed. || || || || ||
-Deny access to an object. || || || ||
-Apply time-based access. || ||
Rule
Devices that enforce administrative security policies by filtering incoming traffic based on a set of
|| || || || || || || || || || || || || ||
rules.
||
Firewall
The use of multiple controls arranged in series to provide several consecutive controls to protect
|| || || || || || || || || || || || || || ||
an asset; also called defense in depth.
|| || || || || ||
Layered Defense ||
Information security strategy integrating people, technology, and operations capabilities to || || || || || || || || || ||
establish variable barriers across multiple layers and missions of the organization. NIST SP 800-
|| || || || || || || || || || || || ||
53 Rev 4 || ||
Defense in Depth || ||
ISC2 Certified in Cybersecurity Chapter 3 Exam with
|| || || || || || || ||
solutions
A safeguard or countermeasure designed to preserve Confidentiality, Integrity and Availability of
|| || || || || || || || || || || ||
data.
A Control
||
_____ _____ involves limiting what objects can be available to what subjects according to what
|| || || || || || || || || || || || || || ||
rules.
Access Control ||
Access is based on three elements. What are they?
|| || || || || || || ||
1. Subjects
||
2. Objects
||
3. Rules
||
Generally an individual, process or device causing information to flow among objects or change
|| || || || || || || || || || || || || ||
to the system state. NIST SP800-53 R4
|| || || || || ||
Subject
Any entity that request access to our access and is the imitator of a request for service. therefore it
|| || || || || || || || || || || || || || || || || || ||
is referred to as "active".
|| || || ||
Subject
-Is a user, a process, a procedure, a client (or a server), a program, a device such as an endpoint,
|| || || || || || || || || || || || || || || || || || || ||
workstation, smartphone or removable storage device with onboard firmware. || || || || || || || ||
-Is active: it initiates a request for access to resources or services.
|| || || || || || || || || || ||
-Requests a service from an object. || || || || ||
-Should have a level of clearance (permissions) that relates to its ability to successfully access
|| || || || || || || || || || || || || || ||
service or resources. || ||
Subject
Passive information system-related entity (e.g., devices, files, records, tables, processes,
|| || || || || || || || || ||
programs, domains) containing or receiving information. NIST SP 800-53 Rev 4
|| || || || || || || || || ||
Object
, 2
A device process, person, user, program, server, client or other entity that responds to a request for
|| || || || || || || || || || || || || || || ||
service and is passive in that it takes no action until its called upon.
|| || || || || || || || || || || || || ||
Object
-Is a building, a computer, a file, a database, a printer or scanner, a server, a communications
|| || || || || || || || || || || || || || || || ||
resource, a block of memory, an input/output port, a person, a software task, thread or process
|| || || || || || || || || || || || || || ||
-Is anything that provides service to a user.
|| || || || || || ||
-Is passive. ||
-Responds to a request. || || ||
-May have a classification. || || ||
Object
An instruction developed to allow or deny access to a system by comparing the validated identity
|| || || || || || || || || || || || || || || ||
of the subject to an access control list.
|| || || || || || ||
Rule
This might be added to allow access from the inside network to the outside network.
|| || || || || || || || || || || || || ||
Rule
-Compare multiple attributes to determine appropriate access || || || || || ||
-Allow access to an object. || || || ||
-Define how much access is allowed. || || || || ||
-Deny access to an object. || || || ||
-Apply time-based access. || ||
Rule
Devices that enforce administrative security policies by filtering incoming traffic based on a set of
|| || || || || || || || || || || || || ||
rules.
||
Firewall
The use of multiple controls arranged in series to provide several consecutive controls to protect
|| || || || || || || || || || || || || || ||
an asset; also called defense in depth.
|| || || || || ||
Layered Defense ||
Information security strategy integrating people, technology, and operations capabilities to || || || || || || || || || ||
establish variable barriers across multiple layers and missions of the organization. NIST SP 800-
|| || || || || || || || || || || || ||
53 Rev 4 || ||
Defense in Depth || ||
