Quick review: Access Controls – ISC2 CC

What you really need to know

Access controls are used to determine who can access systems, data, applications and resources, and with which permissions. For ISC2 CC, you need to understand the difference between identification, authentication, authorization and accounting.

The central point is simple: it is not enough to know who a user is. You must also verify their identity, assign only the necessary permissions and check over time that those accesses are still correct.

Key concepts

• Identification: the user declares who they are, for example through a username.
• Authentication: the system verifies the user's identity.
• Authorization: the system decides what the user can do.
• Accounting: records and tracks the user's activities.
• MFA: requires multiple authentication factors.
• Least privilege: grants only the necessary permissions.
• Need to know: allows access only to the necessary information.
• RBAC: assigns permissions based on role.
• Account lifecycle: management of accounts from creation to deactivation.
• Access review: periodic review of assigned permissions.

Differences not to confuse

Concept	Main meaning
Identification	Declaring who you are
Authentication	Verifying identity
Authorization	Defining what you can do
Accounting	Tracking activities
MFA	Using multiple authentication factors
Least privilege	Giving only the necessary permissions
Need to know	Giving access only to the necessary information
RBAC	Managing permissions based on roles

Identification, authentication and authorization

These three concepts are often confused in quizzes.

Identification happens when a user declares their identity, for example by entering a username.

Authentication happens when the system verifies that the user is really who they claim to be, for example through a password, token, fingerprint or MFA.

Authorization happens after authentication and determines what the user can do: read data, modify files, access an application or administer a system.

Simple example:

• username = identification;
• password or MFA = authentication;
• assigned permissions = authorization.

Accounting and tracking

Accounting concerns the recording of user activities. It is used to know who did what, when and from where.

Examples of accounting:

• access logs;
• audit trail;
• change recording;
• tracking of administrative activities;
• monitoring of failed access attempts.

For ISC2 CC, you need to remember that accounting is important for investigations, audits, compliance and detection of suspicious behavior.

MFA

MFA, Multi-Factor Authentication, requires multiple authentication factors. The main factors are:

• something you know, such as a password;
• something you have, such as a token or smartphone;
• something you are, such as a fingerprint or biometric recognition.

MFA is more secure than a password alone because it reduces the risk that an account is compromised if a single factor is stolen.

Least privilege

The principle of least privilege states that users, processes and applications must have only the minimum permissions required to perform their task.

This reduces the risk of abuse, human error and damage if an account is compromised.

Example: a user who only needs to view reports should not have administrator permissions.

Need to know

The need to know principle states that a user should access only the information truly necessary for their work.

It is similar to least privilege, but focuses mainly on access to information.

Example: an employee may be authorized to access the HR system, but does not necessarily need to see all sensitive employee data if it is not required.

RBAC

RBAC means Role-Based Access Control. In this model, permissions are assigned to roles and users receive access based on the role they hold.

Examples of roles:

• standard user;
• manager;
• administrator;
• auditor;
• help desk.

RBAC simplifies access management because it avoids assigning permissions manually user by user.

Account lifecycle

The account lifecycle includes all phases of account management:

• creation;
• permission assignment;
• permission modification when the role changes;
• suspension;
• deactivation;
• removal of accesses that are no longer needed.

A very common mistake is leaving active accounts for users who no longer work in the organization or keeping old privileges after a role change.

Access review

Access reviews are periodic checks of permissions assigned to users.

They are used to verify that:

• users still need the accesses granted;
• there are no excessive privileges;
• inactive accounts are removed;
• administrative accesses are justified;
• role changes have been managed correctly.

Periodic reviews reduce the risk of privilege creep, which is the gradual accumulation of permissions that are no longer needed.

Common quiz mistakes

• Confusing authentication and authorization.
• Thinking that the username is authentication.
• Thinking that a password alone is always sufficient.
• Confusing least privilege and need to know.
• Forgetting that accesses must be reviewed periodically.
• Thinking that RBAC means giving the same permissions to everyone.
• Forgetting to deactivate accounts that are no longer used.
• Confusing accounting with authentication.

Mini exam scenario

An employee changes department but keeps all permissions from the previous role, in addition to the new permissions. This situation represents a privilege creep problem.

The correct solution is to perform an access review and remove permissions that are no longer needed, applying the principle of least privilege.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

• the difference between identification, authentication and authorization;
• what accounting is used for;
• why MFA is more secure than a password alone;
• what least privilege means;
• what need to know means;
• how RBAC works;
• why the account lifecycle is important;
• why accesses must be reviewed periodically;
• what privilege creep means.