Existing Citations

  • access control (p. 43): Procedures and controls that limit or detect access to critical information resources. This can be accomplished through software, biometrics devices, or physical access to a controlled space. (†1660)
  • access control (p. iv): Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. In some systems, complete access is granted after successful authentication of the user, but most systems require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. (†1666)
  • access control (p. iv): Access control policies are high level requirements that specify how access is managed and who may access information under what circumstances. . . . At a high level, access control policies are enforced through a mechanism that translates a user’s access request, often in terms of a structure that a system provides. . . . Access control models bridge the gap in abstraction between policy and mechanism. (†1667)
  • access control (p. iv): A state of access control is said to be safe if no permission can be leaked to an unauthorized or uninvited principal. To assure the safety of an access control system, it is essential to make certain that the access control configuration (e.g., access control model) will not result in the leakage of permissions to an unauthorized principal. Even though the general safety computation is proven undecidable [HRU76], practical mechanisms exist for achieving the safety requirement, such as safety constraints built into the mechanism. (†1668)
  • access control (p. 3): The objectives of an access control system are often described in terms of protecting system resources against inappropriate or undesired user access. From a business perspective, this objective could just as well be described in terms of the optimal sharing of information. After all, the main objective of IT is to make information available to users and applications. A greater degree of sharing may get in the way of resource protection; in reality, a well-managed and effective access control system actually facilitates sharing. A sufficiently fine-grained access control mechanism can enable selective sharing of information where in its absence, sharing may be considered too risky altogether [FKC03]. (†1669)
  • audit (p. 43): The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures and to recommend any indicated changes in controls, policy, or procedures. (†1661)
  • authentication (p. 43): Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system. (†1662)
  • confidentiality (p. 44): Assurance that information is not disclosed to unauthorized persons, processes, or devices. Confidentiality covers data in storage, during processing, and in transit. (†1663)
  • integrity (p. 44): Preservation of the original quality and accuracy of data in written or electronic form. (†1664)
  • permission (p. 3): [also privilege] : An authorization to perform some action on the system. In most computer security literature, the term permission refers to some combination of object and operation. A particular operation used on two different objects represents two distinct permissions, and similarly, two different operations applied to a single object represent two distinct permissions. For example, a bank teller may have permissions to execute debit and credit operations on customer records through transactions, while an accountant may execute debit and credit operations on the general ledger, which consolidates the bank’s accounting data [FKC03]. (†1670)
  • permission (p. 44): Authorization to perform some action on a system. (†1671)
  • vulnerability (p. 45): A weakness in system security procedures, hardware, design, implementation, internal controls, technical controls, physical controls, or other controls that could be accidentally triggered or intentionally exploited and result in a violation of the system's security policy. (†1665)