Identification

A.

Identification and authentication are the keystones of most access control systems.

Identification establishes user accountability for the actions on the system.

The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system.

This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised.

The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is.

Three general factors can be used for authentication: something a person knows, something a person has, and something a person is.

They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.

For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting.

Once these steps are completed successfully, the user can access and use network resources; however, it is necessary to track the users activities and enforce accountability for his actions.

Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be.

Identification can be provided with the use of a username or account number.

To be properly authenticated, the subject is usually required to provide a second piece to the credential set.

This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token.

These two credential items are compared to information that has been previously stored for this subject.

If these credentials match the stored information, the subject is authenticated.

But we are not done yet.

Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions.

The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting.

If the system determines that the subject may access the resource, it authorizes the subject.

Although identification, authentication, authorization, and accountability have close and complementary definitions, each has distinct functions that fulfill a specific requirement in the process of access control.

A user may be properly identified and authenticated to the network, but he may not have the authorization to access the files on the file server.

On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach.

Reference(s) used for this question: Schneiter, Andrew (2013-04-15)

Official (ISC)2 Guide to the CISSP CBK, Third Edition: Access Control ((ISC)2 Press) (Kindle Locations 889-892)

Auerbach Publications.

Kindle Edition.

and Harris, Shon (2012-10-25)

CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3875-3878)

McGraw-Hill.

Kindle Edition.

and Harris, Shon (2012-10-25)

CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3833-3848)

McGraw-Hill.

Kindle Edition.

and Source: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

Identification is the process of establishing the identity of a user or entity that is requesting access to a system or resource. It is a critical component of access control systems, as it allows the system to determine who is requesting access and what level of access should be granted.

Identification is typically achieved through the use of unique identifiers, such as usernames, employee ID numbers, or biometric data (e.g. fingerprints, facial recognition), that are associated with individual users.

The establishment of user accountability for actions on the system is the primary goal of identification. By identifying the user, the system can track their actions and hold them responsible for any unauthorized or malicious activity that occurs on the system. This is essential for maintaining the integrity and security of the system and the data it contains.

Option A, "User accountability for the actions on the system," is therefore the correct answer to the question. Option B, "Top management accountability for the actions on the system," is incorrect, as identification is focused on individual user accountability rather than management accountability. Option C, "EDP department accountability for the actions of users on the system," is also incorrect, as identification is not intended to establish accountability for the actions of the EDP (Electronic Data Processing) department. Option D, "Authentication for actions on the system," is not a complete definition of identification, as authentication is a separate but related process that verifies the identity of a user based on credentials such as passwords or security tokens.