The document discusses key concepts in domain 3 - access control. It covers physical and logical access controls, security controls, subjects and objects, defense in depth, least privilege, need to know, privileged access management, segregation of duties, and provisioning. The concepts focus on controlling access to resources through countermeasures, granting only necessary access levels, leveraging multiple layers of security, and separating duties to prevent fraud and security compromises.
3. Subjects & Objects
https://www.youtube.com/naggaracademy
A subject is an entity that requires access to system
resources (human, batch job, application, etc.)
An object is a resource to which access must be
controlled
An access control rule specifies the rights of a
different types of subjects (user, group, role, or
organization) to access objects
4. Defense in Depth
https://www.youtube.com/naggaracademy
Defense in depth is a strategy that leverages
multiple security measures to protect an
organization's assets. The thinking is that if
one line of defense is compromised,
additional layers exist as a backup to ensure
that threats are stopped along the way.
7. Privileged Access Management (PAM)
https://www.youtube.com/naggaracademy
An identity security solution that helps protect
organizations against cyber-threats by
monitoring, detecting, and preventing
unauthorized privileged access to critical
resources
8. Segregation of Duties
https://www.youtube.com/naggaracademy
The concept of having more than one person
required to complete a task.
An administrative control used by organizations to
prevent fraud, sabotage, theft, misuse of information,
and other security compromises.
Collusion occurs when people
responsible for different aspects of a
segregated process decide to come
together to deliberately override the
controls for their own benefit