ISC2 CC Domain 3

Domain 3: Access Control Concepts

This summary outlines key concepts in access control, including types of security controls, defense strategies, and privilege management, rewritten for a professional portfolio.

---

Security Controls Overview

Security controls are measures implemented to protect the confidentiality, integrity, and availability (CIA) of assets. Examples include firewalls, which regulate incoming and outgoing traffic to prevent unauthorized access.

Access control determines who can interact with an asset and what actions they are allowed to perform.

---

Key Components of Access Control

• Subject: An entity requesting access, which can be active and authorized. Examples include users, processes, procedures, clients, and servers.
• Object: Anything the subject wants to access. Objects are passive and must be protected; they may include files, databases, printers, threads, or devices. Objects often have owners and classifications.
• Rules: Define whether a subject is allowed or denied access. Rules may use access control lists, multiple attributes, or time-based permissions (e.g., firewall ACLs).

---

Defense in Depth

Defense in depth is a layered approach combining people, processes, and technology to deter attacks. Examples:

• Multi-layered authentication (username, password, MFA)
• Firewalls controlling network traffic
• Segmentation of sensitive information

Types of controls:

• Physical Controls: Tangible measures such as security guards, cameras, and fences.
• Logical Controls: Electronic measures like passwords, biometrics, and access badges.
• Administrative Controls: Policies, procedures, and operational guidelines.

Example: A data center may integrate all three: administrative policies, logical tools, and physical barriers to protect assets.

---

Control Implementation

• Controls reduce risk to an organization’s acceptable level.
• Examples: seatbelts, traffic laws, secure shelving, building codes.
• Effectiveness depends on context; controls should be adapted to the asset, environment, and risk scenario.

---

Role-Based Access Control (RBAC)

• Access is granted based on work roles rather than individual users.
• When employees change roles, permissions are updated accordingly.
• Regular reviews prevent privilege creep and ensure standards are maintained.
• RBAC works well in environments with high staff turnover.

---

Privileged Access Management

• Privileged accounts have elevated permissions beyond standard users (e.g., system administrators, IT staff, security analysts).
• Permissions should be just-in-time, only granted when necessary.
• Controls include extensive logging, multi-factor authentication, stricter background checks, NDAs, and regular audits.

Example: Helpdesk personnel with password reset permissions are monitored closely; logs are compared against tickets to detect anomalies.

---

Monitoring and Oversight

• Monitoring is critical for physical, logical, and administrative controls.
• Physical monitoring: Surveillance cameras, alarm systems, security guards.
• Logging and auditing: Records of events help detect suspicious activity and maintain accountability.
• Anomaly detection: Alerts triggered by unusual behavior help prevent misuse or security incidents.

---

Key Takeaways

• Effective access control combines people, technology, and processes in a layered defense strategy.
• Roles and privileges should be carefully defined and regularly reviewed.
• Monitoring, auditing, and adaptive controls ensure that risks remain within acceptable limits.