Access Control

The Access Control domain covers the mechanisms by which a system grants or revokes the right to access data or perform an action on an information system.

Access Control systems include

File permissions, such as “create,” “read,” “edit,” or “delete” on a file server.

Program permissions, such as the right to execute a program on an application server.

Data rights, such as the right to retrieve or update information in a database.

CISSP candidates should fully understand access control concepts, methodologies, and their implementation within centralized and decentralized environments across an organization’s computing environment.

Chapter 4 covers this domain in detail. Major Access Control topics include

Reviewing concepts, methodologies, and techniques of access control

Knowing the risks, vulnerabilities, and attacks that target access control

Assessing the effectiveness of access controls

Provisioning identity and access throughout the information life cycle