Access Control Systems and Methodology

This domain examines mechanisms and methods used to enable administrators and managers to control what subjects can access, the extent of their capabilities after authorization and authentication, and the auditing and monitoring of these activities. Some of the topics covered include:

- Access control security models
- Identification and authentication technologies and techniques
- Access control administration
- Data ownership
- Attack methods
________
- Describe the access control concepts and methodologies and their enterprise wide implementation in a centralized or decentralized environment.
- Identify the access control security tools and technologies used to minimize or avoid risks, exposures, and vulnerabilities.
- Describe the auditing mechanisms for analyzing behavior, use, and content of the IT system.
________
Access Controls
- The primary goal of access controls are to (I&A) identify and authenticate.
- There should also be access control policies that designate who can do what.
- The access control mechanism should also leave an audit trail.

Separation of Duties
- A process is designed so that different steps are performed by different people.
- Must define the different steps.
- Separation of Duties forces an individual to create a collusion in order to manipulate the system.

Least Privilege
- Least privilege is a policy that limits both the system's users and processes to access only those resources necessary to perform assigned functions.
- Define each users job and only access to that, no less or no more.
- Least Privilege is also know as Need-to-Know.