Page 952 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 952
information about the user based on the cookie. Finally, the
application switches back to an object as it sends dynamic web pages
back to the user.
The CIA Triad and Access Controls
One of the primary reasons organizations implement access control
mechanisms is to prevent losses. There are three categories of IT loss:
loss of confidentiality, availability, and integrity (CIA). Protecting
against these losses is so integral to IT security that they are frequently
referred to as the CIA Triad (or sometimes the AIC Triad or Security
Triad).
Confidentiality Access controls help ensure that only authorized
subjects can access objects. When unauthorized entities can access
systems or data, it results in a loss of confidentiality.
Integrity Integrity ensures that data or system configurations are not
modified without authorization, or if unauthorized changes occur,
security controls detect the changes. If unauthorized or unwanted
changes to objects occur, it results in a loss of integrity.
Availability Authorized requests for objects must be granted to
subjects within a reasonable amount of time. In other words, systems
and data should be available to users and other subjects when they are
needed. If the systems are not operational or the data is not accessible,
it results in a loss of availability.
Types of Access Control
Generally, an access control is any hardware, software, or
administrative policy or procedure that controls access to resources.
The goal is to provide access to authorized subjects and prevent
unauthorized access attempts. Access control includes the following
overall steps:
1. Identify and authenticate users or other subjects attempting to
access resources.
2. Determine whether the access is authorized.
