Controls

Administrative Policy and procedure Personnel controls Supervisory Structure Security-awareness training Testing Physical Controls Network Segregation Perimeter Security Computer Controls Work area separation Data Backups Cabling Control Zone Technical Controls System Access Network Architecture Network Access Encryption and protocols Auditing Types Subject is an active entity that requests access to an object or data within an object Access Control - security features that control how users and systems communicate and interact with other systems Access - flow of information between subject and object Object is a passive entity that contains information or needed functionality Preventive Detective Corrective Recovery Deterrent Discretionary Access Control (DAC) Gives subjects full control of objects full control of objects the have been given access to, including sharing the objects with other subjects Windows and Linux use it for filesystems Identity based access control Non-discretionary Mandatory Access Control (MAC) System-enforced control based on subject's clearance and object's labels. Security Labels (Sensitivity Labels) Contains classifications and different categories Categories enforce need-to-know rules Role-based Access Control (RBAC) Uses centrally administrated set of controls to determine how subjects and objects interact Core RBAC Hierarchical RBAC Rule-Based Access Control Constrained User Interfaces Access Control Matrix Capability Table Access Control List Content-dependent access control

General Concepts

Compensating

Access Control Models

Context-dependent access control