CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.5  Privilege Management

5.5.4  Auditing 1 2 5.6  Computer Forensics

As with Auditing, this section revisits a topic we covered in greater detail, earlier in this book. We will briefly revisit it now.

The National Institute of Standards and Technology (NIST) states:

“With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, and manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies”.

The NIST has a draft standard with a 51 page PDF that is available to study⁴⁴⁶.

RBAC is policy-oriented, yet policy neutral. (It doesn’t dictate policies you must apply.)

Examples of RBAC can be found in Microsoft's Active Directory and Novels Directory Services.

Highlights of RBAC include:

• Least Privilege
  
  
• Separation of Duties
  
  
• Abstract Permissions
  
  
• Separation of Administration and Access

5.5.4  Auditing 1 2 5.6  Computer Forensics