Page 1004 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1004

Exam Essentials


               Know the difference between subjects and objects. You’ll find
               that CISSP questions and security documentation commonly use the
               terms subject and object, so it’s important to know the difference

               between them. Subjects are active entities (such as users) that access
               passive objects (such as files). A user is a subject who accesses objects
               while performing some action or accomplishing a work task.

               Know the various types of access controls. You should be able
               to identify the type of any given access control. Access controls may be
               preventive (to stop unwanted or unauthorized activity from
               occurring), detective (to discover unwanted or unauthorized activity),

               or corrective (to restore systems to normal after an unwanted or
               unauthorized activity has occurred). Deterrent access controls attempt
               to discourage violation of security policies, by encouraging people to
               decide not to take an unwanted action. Recovery controls attempt to
               repair or restore resources, functions, and capabilities after a security

               policy violation. Directive controls attempt to direct, confine, or
               control the action of subjects to force or encourage compliance with
               security policy. Compensating controls provide options or alternatives
               to existing controls to aid in enforcement and support of a security
               policy.

               Know the implementation methods of access controls.
               Controls are implemented as administrative, logical/technical, or

               physical controls. Administrative (or management) controls include
               policies or procedures to implement and enforce overall access
               control. Logical/technical controls include hardware or software
               mechanisms used to manage access to resources and systems and
               provide protection for those resources and systems. Physical controls
               include physical barriers deployed to prevent direct contact and access
               with systems or areas within a facility.


               Understand the difference between identification and
               authentication. Access controls depend on effective identification
               and authentication, so it’s important to understand the differences
               between them. Subjects claim an identity, and identification can be as
   999   1000   1001   1002   1003   1004   1005   1006   1007   1008   1009