Access Control Mechanisms

Access is typically managed or controlled by three mechanisms: authentication, authorization, and accounting (AAA).

• Authentication is the process of “verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.” (FIPS 200)
  Identification is the process of a subject claiming, or professing, an identity so that the authentication process can proceed.
• Authorization is “the process of verifying that a requested action or service is approved for a specific entity.” (NIST SP 800-152)
• Accounting is the process of recording entries or logs of the activities of subjects and objects, just like keeping financial accounting journals.

Accounting, Auditing, and Accountability (Yet Another AAA)

Logs are the work product of accounting. Accountability can be achieved through reviewing or examining (auditing) a set of correlated logs (audit trail) to uniquely trace the activity to an entity.

• Accountability is “the security objective that generates the requirement for actions of an entity to be traced uniquely to that entity.” (NIST SP 800-33)
• Audit is the “independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.” (NIST SP 800-12 Rev. 1)
• Audit trail is “a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.” (NIST SP 800-53 Rev. 4)

Inconsistent Definitions

I treat accounting and auditing in the opposite way to the Sybex Official CISSP Study Guide. It defines auditing as “recording a log of the events and activities related to the system and subjects,” and accounting (aka accountability) as “reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.”