Access Control
The Access Control domain covers the mechanisms by which a system grants or revokes the right to access data or perform an action on an information system.
Access Control systems include
File permissions, such as “create,” “read,” “edit,” or “delete” on a file server.
Program permissions, such as the right to execute a program on an application server.
Data rights, such as the right to retrieve or update information in a database.
CISSP candidates should fully understand access control concepts, methodologies, and their implementation within centralized and decentralized environments across an organization’s computing environment.
Chapter 4 covers this domain in detail. Major Access Control topics include
Reviewing concepts, methodologies, and techniques of access control
Knowing the risks, vulnerabilities, and attacks that target access control
Assessing the effectiveness of access controls
Provisioning identity and access throughout the information life cycle