All right, let's go ahead and begin our requirements in the very first we're gonna take a look at is access control and access. Control is all about limiting what a subject can do. Tow an object. Whether that subject is a user who's authorized someone who's unauthorized, could be a system could be a process.
And, of course, the object is the passive entity that's being accessed or manipulated. So that's what we're gonna look at with requirement one. And of course, we have
basic security requirements in then derive security requirements.
One of the things that I want to mention to you about the format of all of these slides is that you're going to see a number beginning each of the basic security requirements in each of the further elements. And this is to tell you to reference what section, what chapter in section
of the Special Publication 800-1 71 and where these elements are located. So if you're looking at the actual document the pdf of this publication, this would be the section that you would go to Okay, I hope that again makes sense. All right, so we start out with access control.
What are our basic security requirements? We only have two basic security requirements. We have a lot of derived requirements, though. So for the basic security requirements, limit information system access toe authorized users. That makes sense, making sure that
everyone that accesses the information is authorized. We don't have any improper access
and make or any processes acting on behalf of authorized users. Like we said, a subject can also be a process, Um, or behalf of devices or devices acting on behalf of authorized users. So basically, what we're looking to do is make sure
that whatever actions happen on the system,
they are authorized their performed by authorized users, processes, systems or whatever.
Okay, the second basic security requirement.
We wanna limit the information system access to the type of transactions and functions that authorized users are permitted to execute. Now again, I know this sounds very basic. Basically, we're saying all right, What you can do in this system are on Lee the things that have been authorized to do, right,
So we're gonna limit access toe authorized users processes or systems,
and we're gonna limit their functions toe authorized functions again. Sounds very very basic kind of give me. But what you see in the next section is gonna be the derived requirements that are gonna help make this happen.