Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson covers Domain 3 which is the basic security requirements surrounding access control. Essentially, access control is about limiting what a subject can do to an object. These requirements are basic as well as derived.

Video Transcription

00:04
All right, let's go ahead and begin our requirements in the very first we're gonna take a look at is access control and access. Control is all about limiting what a subject can do. Tow an object. Whether that subject is a user who's authorized someone who's unauthorized, could be a system could be a process.
00:23
And, of course, the object is the passive entity that's being accessed or manipulated. So that's what we're gonna look at with requirement one. And of course, we have
00:32
basic security requirements in then derive security requirements.
00:36
One of the things that I want to mention to you about the format of all of these slides is that you're going to see a number beginning each of the basic security requirements in each of the further elements. And this is to tell you to reference what section, what chapter in section
00:52
of the Special Publication 800-1 71 and where these elements are located. So if you're looking at the actual document the pdf of this publication, this would be the section that you would go to Okay, I hope that again makes sense. All right, so we start out with access control.
01:11
What are our basic security requirements? We only have two basic security requirements. We have a lot of derived requirements, though. So for the basic security requirements, limit information system access toe authorized users. That makes sense, making sure that
01:27
everyone that accesses the information is authorized. We don't have any improper access
01:33
and make or any processes acting on behalf of authorized users. Like we said, a subject can also be a process, Um, or behalf of devices or devices acting on behalf of authorized users. So basically, what we're looking to do is make sure
01:51
that whatever actions happen on the system,
01:53
they are authorized their performed by authorized users, processes, systems or whatever.
01:59
Okay, the second basic security requirement.
02:02
We wanna limit the information system access to the type of transactions and functions that authorized users are permitted to execute. Now again, I know this sounds very basic. Basically, we're saying all right, What you can do in this system are on Lee the things that have been authorized to do, right,
02:21
So we're gonna limit access toe authorized users processes or systems,
02:24
and we're gonna limit their functions toe authorized functions again. Sounds very very basic kind of give me. But what you see in the next section is gonna be the derived requirements that are gonna help make this happen.

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor