What’s an Access Control List (ACL)?
A table of access rules for computers or systems and the user IDs or assets allowed to access them.
What’s and Access Control Entry (ACE)?
A single record in an ACL.
What’s a Discretionary Access Control List (DACL)?
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
What’s a Directory Management System?
The collection of software, hardware, and processes that store information about an enterprise, subscribers, or both, and makes that information available to users.
What are some technology controls for Directory management?
- Access Control Entries (ACEs)
- Access Control Lists (ACLs)
What are some process controls for Directory Management?
- Policies for setting permissions
- Understanding permission inheritance
What’s the definition of Principle of Least Privilege?
Giving a user account only those privileges which are essential to perform its intended functions.
What are some technology controls for Authorization?
- Identity and Access Management (IAM) applications
- Directory management
- Privileged account management tools
- “Approval before access” controls
- Logging and retention of approved data certification
- Identity management (system)
- Information flow enforcement
- Software licensing
What are some process controls for Authorization?
- Onboarding and role changes
- Approval processes and workflows
- Designation of approvers and delegates
- Audit of entitlements
- Identity management (manual)
What are some technology controls for Authentication and access?
- Identity and access management (IAM) tools
- Privileged account management (PAM) tools
- VPN access
- Password vault
What are some process controls for Authentication and access?
- Access control governance, policies and procedures
- Authorization/access control matrix management
- User provisioning and de-provisioning policies and processes
- Regularly scheduled access audits
- Change approval boards and processes
What are some technology controls for Privileged account management?
- Identity and access management (IAM) tools
- Privileged account management (PAM) tools
- VPN access
- Password vault
What are some process controls for Privileged account management?
- Policies and procedures
- Authorization matrix management
- Change approval boards and processes
What is “user access requirements”?
what is needed for secure, successful, and value-adding user access needs.
What are some technology controls for System user?
- Enforced password criteria compliance
- Automated warnings, spam filters
- Anti-virus and anti-malware software
- Password vault/manager
What are some process controls for System user?
- Policies and procedures related to employee behaviors
- Anti-reflective monitor screens
- Locking screens when leaving workstation
- Not writing down passwords
- Education campaigns
- Audits and spot checks
