QeeqBox

Category: Information Security

Procedures
Cybersecurity Procedures

A procedure is a documented, step-by-step set of instructions that outlines how to implement a cybersecurity policy in practice. Procedures translate high-level policy requirements into clear, actionable tasks, ensuring that security controls are applied consistently, correctly, and safely across an organization. While policies define what must be done and why, procedures clarify how it is done, who performs it, and when it should be completed.

Procedures are crucial for minimizing human error, ensuring operational consistency, and supporting the effective implementation of security controls. They enable organizations to carry out security tasks in a repeatable and controlled manner.

Example: A phishing reporting procedure instructs employees to use the “Report Phish” button in email clients and to immediately notify the IT/security team.

Cybersecurity Procedures Purpose

The primary purpose of procedures is to ensure that cybersecurity policies are executed consistently and accurately in daily operations. They help reduce risk by providing clear instructions that minimize mistakes and misinterpretation. Procedures also enhance efficiency, support compliance with policies and regulations, and ensure that security tasks are performed in a standardized and repeatable manner across the organization.
- Title and Purpose: The title and purpose section clearly identifies the procedure and explains its intended outcome. It provides a brief description of the task being performed and the purpose of the procedure, helping users quickly understand its goals and relevance within the organization.
- Scope: The scope defines the systems, users, departments, or processes to which the procedure applies. It establishes clear boundaries regarding where and to whom the procedure is relevant, ensuring consistent application in the appropriate areas of the organization.
- Roles and Responsibilities: This section outlines the individuals or teams responsible for performing, managing, and overseeing each part of the procedure. It ensures accountability by clearly assigning who completes each step and who is responsible for supervision or approval.
- Step-by-Step Instructions: The step-by-step instructions provide detailed, chronological directions for completing the procedure. This section breaks the process into clear, actionable steps to ensure consistency, reduce errors, and guide users through the task from start to finish.
- Required Tools or Systems: This section lists all tools, software, hardware, and other resources needed to successfully complete the procedure. It ensures users are prepared in advance and can perform the task efficiently without missing critical resources.
- Verification and Compliance: Verification and compliance explain how the organization confirms that the procedure has been completed correctly and securely. This may include checks, logs, approvals, or audits to ensure the process meets policy requirements and security standards.
- Exceptions or Special Cases: This section outlines situations in which deviations from the standard procedure are permitted. It also explains how exceptions are requested, approved, and documented to ensure they remain controlled and do not introduce unnecessary risks.
- Review and Updates: This section specifies how frequently the procedure is evaluated and revised. This ensures the document remains current with changes in technology, threats, and organizational needs, maintaining its accuracy and effectiveness over time.
Example: Acceptable Use Procedure (AUP)
- User Responsibilities
  - Users must log in using their assigned credentials only.
  - Devices must be locked when unattended.
  - Company systems must be used for authorized business purposes only.
- Prohibited Activities
  - Unauthorized access to systems or data is not allowed.
  - Installation of unapproved software is prohibited.
  - Accessing malicious or inappropriate websites is forbidden.
  - Sharing passwords or bypassing security controls is not permitted.
- System and Data Protection
  - Devices must be kept up to date with security patches and antivirus software.
  - Security controls (firewalls, monitoring tools) must not be disabled.
  - Sensitive data must be stored and transmitted using approved secure methods.
- Monitoring and Reporting
  - IT may monitor systems for compliance and security purposes.
  - Users must report suspicious activities or security incidents immediately.
- Consequences of Non-Compliance
  - A warning or disciplinary action
  - Loss of system access
  - Termination of employment or contract
  - Legal action if necessary
June 7, 2026
Policies
Policies

A policy is a high-level mandatory statement of management intent, direction, and requirements that defines how an organization manages and protects its information systems and data. Policies establish the rules for acceptable behavior and provide a governance framework for managing cybersecurity risk.

Cybersecurity policies focus on the “what” and “why” of security, rather than the technical implementation. They are designed to guide behavior, support compliance with legal and regulatory requirements, and ensure consistent security practices across the organization. The “how” is addressed in supporting documents such as standards, procedures, and guidelines.

Example: An Acceptable Use Policy (AUP) that prohibits employees from clicking on suspicious links or using personal email accounts for work-related activities.

Cybersecurity Policies

The primary goal of cybersecurity policies is to protect information assets by safeguarding sensitive data, such as customer records, financial information, and intellectual property. These policies aim to reduce risk by minimizing the likelihood and impact of cyber threats, insider incidents, and human errors. They establish accountability by clearly defining the roles and responsibilities of employees, IT staff, and leadership. Additionally, cybersecurity policies support compliance by ensuring alignment with legal, regulatory, and industry standards, such as GDPR, HIPAA, PCI DSS, and ISO 27001. Moreover, these policies help build trust with customers and partners by demonstrating the organization’s commitment to security and its dedication to protecting sensitive information.
- Protect Information Assets: Safeguard sensitive data, including customer records, financial information, and intellectual property.
- Reduce Risk: Minimize the likelihood and impact of cyber threats, insider threats, and human error.
- Establish Accountability: Define roles and responsibilities for employees, IT staff, and leadership.
- Support Compliance: Ensure alignment with regulations and frameworks (e.g., GDPR, HIPAA, PCI DSS, ISO 27001).
- Build Trust: Demonstrate to customers and partners that security is taken seriously.
Cybersecurity Policy Components

A cybersecurity policy consists of several essential components that outline how security is managed within an organization.
- Scope: The scope of a cybersecurity policy clearly defines who and what the policy applies to within an organization. This includes all users, such as employees, contractors, and third parties, as well as organizational systems, devices, networks, and data. Additionally, it specifies whether the policy applies organization-wide or only to specific departments or business units. By clearly defining these boundaries, the scope clarifies what is covered by the policy and helps ensure consistent application of security requirements across all relevant areas.
- Objectives: The objectives of a cybersecurity policy outline the purpose and intended outcomes. This section explains why the policy exists and what the organization aims to achieve, such as protecting sensitive data, reducing cybersecurity risks, ensuring business continuity, and supporting regulatory compliance. These objectives help align security efforts with overall business goals and provide a clear direction for decision-making and security planning. Furthermore, they serve as a foundation for evaluating whether the policy effectively meets its intended goals.
- Roles and Responsibilities: This section defines who is responsible for implementing, managing, and enforcing the organization’s cybersecurity policy. It outlines the duties of different stakeholders, including senior leadership, IT teams, security personnel, and general users. For example, leadership is responsible for approving policies, IT teams handle technical controls, and employees are tasked with following security procedures. Clearly defining these roles and responsibilities ensures accountability and helps prevent gaps in security ownership.
- Policy Rules: Policy rules establish the high-level security requirements that all individuals and systems must follow. These rules provide mandatory guidelines, such as requiring multi-factor authentication, enforcing strong password standards, installing antivirus software, and restricting access to sensitive data. Unlike technical procedures, policy rules are not detailed instructions; they set the minimum security expectations for the organization. By ensuring consistency in security practices, they reduce the likelihood of security incidents caused by weak or inconsistent controls.
- Compliance and Enforcement: This section explains how adherence to the policy is monitored and the consequences for violations. It may include disciplinary actions such as warnings, loss of access privileges, mandatory retraining, or termination, depending on the severity of the violation. This section also ensures that the organization can demonstrate compliance with legal, regulatory, and contractual requirements. Clear enforcement mechanisms reinforce the policy’s importance and encourage consistent adherence across the organization.
- Review and Updates: The review and updates section defines how often the cybersecurity policy is evaluated and revised to remain effective. Since technology, threats, and regulations are constantly changing, policies must be regularly reviewed to ensure they remain relevant and up to date. This process may occur annually, semi-annually, or after significant security incidents or organizational changes. Regular updates ensure that the policy continues to address emerging risks and aligns with current best practices and compliance requirements.
Cybersecurity Policies Examples

Acceptable Use Policy (AUP)
- Defines how employees and users may access and use organizational systems, networks, and data.
- Key Points
  - Prohibits unauthorized or illegal activity.
  - Restricts the installation of unauthorized software.
  - Defines acceptable internet and email usage.
  - Outlines consequences for violations.
Password Policy
- Defines requirements for secure authentication practices.
- Key Points
  - Minimum length and complexity requirements.
  - Restrictions on password reuse.
  - Multi-Factor Authentication (MFA) requirements.
  - Secure storage of passwords (hashed and salted, not in plaintext).
Data Protection and Privacy Policy:
- Protects sensitive data, including Personally Identifiable Information (PII), financial data, and regulated information.
- Key Points
  - Data classification (public, internal, confidential, restricted).
  - Encryption requirements for data in transit and at rest.
  - Secure data sharing methods.
  - Compliance with privacy laws and regulations.
  - Breach reporting requirements.
Incident Response Policy:
- Defines how the organization prepares for and responds to cybersecurity incidents.
- Key Points
  - Incident identification and classification.
  - Roles and responsibilities of response teams.
  - Escalation and communication procedures.
  - Recovery and post-incident review.
Remote Work / BYOD Policy:
- Secures organizational data accessed outside the workplace or on personal devices.
- Key Points
  - VPN and secure access requirements.
  - Device security (patching, antivirus, encryption).
  - Restrictions on jailbroken or rooted devices.
  - Reporting lost or stolen devices.
  - Safe use of public Wi-Fi (VPN required).
June 7, 2026
Risk
Risk

Risk refers to the potential for loss, damage, or harm to an organization’s systems, data, operations, or reputation. In the context of cybersecurity, risk arises when a threat can exploit a vulnerability, leading to negative consequences for the organization. It’s important to understand that risk does not indicate a guaranteed event; instead, it signifies the possibility of an adverse event occurring and the potential impact if it does. Organizations continuously identify, assess, and manage risks to protect their assets and ensure the continuity of their business operations.

Cybersecurity risks can stem from various sources, including cybercriminals, malicious software, insider threats, human error, hardware failures, and natural disasters. Effective risk management allows organizations to understand their exposure to these threats and develop appropriate strategies to mitigate or manage potential harm.

Example

A company stores sensitive customer information in a database, and employees regularly receive email messages from external sources.
- Threat: Phishing emails sent by cybercriminals.
- Vulnerability: Employees have not received phishing awareness training.
- Impact: Customer data may be compromised if the attack successfully targets an employee.
This scenario represents a cybersecurity risk because a threat could exploit a vulnerability, resulting in harm to the organization.

Risk Formula

A common way to conceptually understand cybersecurity risk is: Risk = Threat × Vulnerability × Impact

This formula is not a precise mathematical calculation but rather a conceptual model that illustrates the relationship among key risk factors. The model shows that risk increases when threats become more likely, vulnerabilities become more severe, or the potential impact grows.

Threat

A threat is anything capable of causing harm to an organization’s systems, data, or operations (The likelihood of a threat occurring contributes to the overall level of risk).

Examples:
- Hackers and cybercriminals
- Malware and ransomware
- Phishing attacks
- Insider threats
- Natural disasters
- Hardware failures
Vulnerability

A vulnerability is a weakness in technology, processes, or people that a threat can exploit (The greater the vulnerability, the easier it is for a threat to succeed).

Examples
- Weak passwords
- Unpatched software
- Misconfigured systems
- Lack of employee training
- Inadequate access controls
- Outdated hardware
Impact

Impact refers to the potential consequences if a threat successfully exploits a vulnerability (The more severe the potential consequences, the greater the overall risk).

Examples
- Financial losses
- Data breaches
- Operational disruptions
- Regulatory penalties
- Loss of customer trust
- Reputational damage
Example Scenario
- Threat: A phishing email targets employees.
- Vulnerability: Employees have not received phishing awareness training.
- Impact: Sensitive financial data could be stolen.
- Result: High Risk
To reduce this risk, the organization could provide security awareness training, implement email filtering solutions, and require multi-factor authentication.

Types of Risk

Cybersecurity risks can affect organizations in multiple ways. Understanding the different categories of risk helps organizations prioritize resources and implement appropriate security controls.

Operational Risk

Operational risk refers to the potential for loss or disruption that arises from failures in internal processes, people, systems, or external events affecting an organization’s daily operations. In the context of cybersecurity, operational risks can stem from various issues such as system outages, hardware failures, software bugs, human errors, inadequate procedures, cyberattacks, or natural disasters that interrupt critical business functions.

For example, a ransomware attack that shuts down company servers can prevent employees from accessing essential applications and data, leading to downtime, lost productivity, financial losses, and decreased customer satisfaction.

Organizations manage operational risk by implementing strong security controls, maintaining backup and disaster recovery plans, conducting employee training, and continuously monitoring systems to ensure that business operations remain resilient and reliable.

Examples
- Distributed Denial of Service (DDoS) attacks
- Server failures
- System outages
- Human errors Accidental deletion of data
Impact
- Reduced productivity
- Service interruptions
- Increased recovery costs
- Delayed business operations
Financial Risk

Financial risk refers to the potential for direct or indirect monetary losses resulting from cybersecurity incidents that affect an organization’s assets, operations, or reputation. These losses can stem from various issues, including data breaches, ransomware attacks, fraud, theft of financial information, business interruptions, regulatory fines, legal expenses, and the costs linked to incident response and recovery efforts.

For instance, if a cybercriminal gains access to a company’s financial systems and steals sensitive customer data, the organization may incur significant expenses related to investigating the breach, notifying affected individuals, implementing corrective security measures, paying regulatory penalties, and defending against potential lawsuits. Additionally, lost revenue caused by downtime and decreased customer trust can further amplify the financial impact.

Organizations can reduce financial risk by investing in cybersecurity controls, maintaining cyber insurance, conducting regular risk assessments, and implementing robust policies to safeguard critical financial and business assets.

Examples
- Ransomware payments
- Business email compromise (BEC) fraud
- Theft of financial information
- Regulatory fines
Impact
- Loss of revenue
- Increased operating costs
- Legal expenses
- Higher insurance premiums
Reputational Risk

Reputational risk refers to the potential damage to an organization’s public image, credibility, and trust among stakeholders following a cybersecurity incident. When a breach, data leak, or cyberattack becomes public, customers, partners, investors, and the general public may lose confidence in the organization’s ability to protect sensitive information and operate securely. This loss of trust can have long-lasting consequences, such as customer attrition, reduced sales, negative media coverage, challenges in attracting new business, and strained relationships with partners or regulators.

For example, if a company suffers a high-profile data breach that exposes customers’ personal information, even if financial losses are recovered, the perception of weak security practices may linger and damage the brand for years. Organizations can mitigate reputational risk by maintaining strong cybersecurity practices, communicating transparently and promptly during incidents, and demonstrating accountability through effective response and recovery efforts.

Examples
- Data breaches exposing customer information
- Negative media coverage
- Public disclosure of security failures
Impact
- Loss of customer confidence
- Reduced market share
- Difficulty attracting new customers
- Long-term brand damage
Compliance Risk

Compliance risk arises when an organization fails to meet the legal, regulatory, or contractual security requirements that dictate how data and systems should be protected. In the realm of cybersecurity, this includes not adhering to industry standards such as PCI DSS for payment card data, HIPAA for healthcare information, and GDPR for personal data protection, as well as internal policies and customer-driven security requirements.

Non-compliance can lead to serious consequences, including regulatory fines, legal penalties, audit failures, the loss of business licenses, and contractual disputes with clients or partners. For instance, if a company does not properly encrypt customer data as required by law and a data breach occurs, it may face substantial fines in addition to the costs associated with remediation.

Organizations can reduce compliance risk by implementing strong governance frameworks, conducting regular audits, maintaining up-to-date security policies, and ensuring that employees are trained to follow the necessary standards and procedures.

Examples:
- Violations of GDPR
- Violations of HIPAA
- Failure to comply with PCI DSS
- Noncompliance with industry security standards
Impact:
- Regulatory penalties
- Legal action
- Audits and investigations
- Loss of business opportunities.
Risk Response Strategies

Risk Response Strategies are methods that organizations use to address identified risks after assessing their likelihood and impact. Once organizations understand these risks, they decide how to respond in a manner that aligns with their business objectives and acceptable levels of risk. The four primary strategies are Avoidance, Mitigation, Transfer, and Acceptance.

Risk Avoidance

Risk avoidance involves eliminating activities, processes, or technologies that pose unacceptable levels of risk.
- Examples
  - Delaying the deployment of software that has known security vulnerabilities until patches are available.
  - Choosing not to store sensitive data on portable devices.
- Pros
  - Eliminates the identified risk.
  - Reduces the likelihood of security incidents.
- Cons
  - May limit business operations and innovation.
  - Some risks cannot be avoided because they are essential to business activities.
Risk Mitigation (Reduction)

Risk mitigation involves implementing controls to reduce either the likelihood or the impact of a risk.
- Examples
  - Installing firewalls and antivirus software.
  - Applying security patches.
  - Conducting vulnerability assessments.
  - Providing cybersecurity awareness training.
  - Implementing multi-factor authentication (MFA).
- Pros
  - Reduces the likelihood of successful attacks.
  - Minimizes potential damage from security incidents.
  - Allows organizations to continue operating while managing risk.
- Cons
  - Requires ongoing investment in technology and personnel.
  - Cannot completely eliminate risk.
Risk Transfer

Risk transfer involves shifting some financial or contractual responsibility for a risk to another party.
- Examples
  - Purchasing cyber liability insurance.
  - Using vendor contracts that include security requirements and liability provisions.
  - Outsourcing security operations to managed security service providers (MSSPs).
- Pros
  - Reduces financial exposure.
  - Provides access to specialized expertise.
- Cons
  - Does not eliminate the underlying risk.
  - Insurance policies and contracts may contain exclusions and limitations.
Risk Acceptance (Retention)

Risk acceptance occurs when an organization consciously decides to accept a risk after evaluating its likelihood and potential impact.
- Examples
  - Accepting a low-risk vulnerability because the cost of remediation exceeds potential losses.
  - Continuing to operate a legacy system while monitoring it until replacement becomes feasible.
- Pros
  - Allows resources to be focused on higher-priority risks.
  - Supports operational flexibility and business continuity.
- Cons
  - The organization remains exposed to the risk.
  - Potential financial, operational, or reputational damage may occur if the risk materializes.
June 7, 2026
Governance, Risk, and Compliance
Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) is a strategic framework that helps organizations align their security practices with their business objectives. It achieves this by establishing policies, managing risks, and ensuring compliance with laws, regulations, and industry standards. GRC plays a crucial role in protecting information, minimizing risks, and facilitating informed business decisions.

GRC Benefits
- Align security practices with business objectives.
- Protect sensitive information.
- Reduce security and operational risks.
- Enhance decision-making through improved visibility and control.
Governance

Governance encompasses the frameworks, policies, and procedures that guide an organization in directing and managing its cybersecurity and data protection efforts.
- Frameworks: Industry standards and models that guide security practices (e.g., NIST, ISO 27001).
- Policies: High-level rules that define acceptable behaviors and security requirements.
- Procedures: Step-by-step instructions for implementing policies.
- Decision-Making Structure: Clearly defined roles and responsibilities for managing security.
- Business Alignment: Ensuring that security practices support organizational goals.
Risk Management

Risk management involves identifying, assessing, prioritizing, and mitigating potential threats that could affect an organization’s operations, data, or reputation.
- Identification: Discovering potential risks through assessments and continuous monitoring.
- Assessment: Evaluating the likelihood and potential impact of identified risks.
- Prioritization: Ranking risks to focus on the most critical threats.
- Mitigation: Implementing controls like security tools, policies, and response plans to reduce risks.
Compliance

Compliance ensures that an organization adheres to relevant laws, regulations, and industry standards.
- Adherence to Laws and Standards: Following requirements such as FERPA, HIPAA, PCI DSS, and GDPR.
- Documentation: Maintaining records of policies, training, and security controls.
- Evidence Collection: Providing proof of compliance during audits or reviews.
- Continuous Monitoring: Regularly reviewing systems and processes to sustain compliance.
HIPAA GRC Example

A hospital manages patient medical records electronically.
- Governance: The hospital establishes policies and procedures that define who can access patient records, how sensitive information should be handled, and what security controls must be followed. Management assigns responsibilities for protecting patient information and ensures that security practices align with the hospital’s mission and regulatory obligations.
- Risk Management: The hospital identifies risks such as unauthorized access, phishing attacks, ransomware, and data breaches. To reduce these risks, the hospital implements safeguards such as encryption, multi-factor authentication (MFA), employee security awareness training, access controls, and continuous system monitoring.
- Compliance: The hospital adheres to the HIPAA Privacy, Security, and Breach Notification Rules and maintains documentation to demonstrate compliance during audits or investigations. Regular assessments, employee training, and policy reviews help ensure that the organization continues to meet HIPAA requirements and protect patient information.
FERPA GRC Example

A college manages sensitive student information, including grades, transcripts, enrollment details, and other academic records within its information systems. To protect this data from unauthorized access, misuse, or disclosure, the institution must implement robust safeguards.
- Governance: The college establishes formal policies and procedures to manage and protect student records. These policies define who can access student information (such as faculty, advisors, and authorized staff), specify the systems authorized to store and process this data, and outline how long records must be retained. Clear roles and responsibilities are assigned to ensure accountability in protecting student data.
- Risk Management: The college identifies potential risks to student information, including unauthorized access to student accounts, phishing attacks targeting staff or students, data breaches, and accidental sharing of records. To mitigate these risks, the college employs security measures such as role-based access restrictions, multi-factor authentication (MFA), encryption of sensitive data, security awareness training, and continuous monitoring of system activity.
- Compliance: The college complies with the Family Educational Rights and Privacy Act (FERPA) to ensure that students’ educational records are protected under federal law. This includes obtaining proper consent before disclosing personally identifiable information, limiting access to authorized individuals with a legitimate
PCI-DSS GRC Example

An online retailer processes customer purchases through its website, which involves collecting, transmitting, and storing credit card information. Because this data is highly sensitive, the organization must adhere to strict security practices to protect customer payment details and prevent fraud.
- Governance: The company establishes formal policies for handling payment card data and defines clear roles and responsibilities for employees who manage or access this information. These policies outline how cardholder data should be stored, who is allowed to access it, how long it can be retained, and how systems must be secured. Leadership also ensures that security expectations are aligned with business operations and the need for customer trust.
- Risk Management: The company identifies cybersecurity risks that could compromise payment card data, including credit card theft, phishing attacks, malware infections, ransomware, and unauthorized access to customer accounts or payment systems. To mitigate these risks, the company implements security controls such as encryption of cardholder data, firewalls to protect network boundaries, multi-factor authentication (MFA), intrusion detection systems, secure software development practices, and continuous monitoring of system activity. Regular vulnerability scans and security testing are also conducted to identify and address weaknesses.
- Compliance: The company complies with PCI DSS requirements to ensure cardholder data is adequately protected. This involves meeting security standards for storing, processing, and transmitting payment information, conducting regular compliance assessments, and maintaining documentation for audits. Depending on transaction volume, the company may complete self-assessment questionnaires or undergo external audits by a Qualified Security Assessor (QSA).
June 6, 2026
Security Controls
Security Controls

Security controls are countermeasures or safeguards designed to protect information systems, networks, and data from cyber threats and attacks. Their main goal is to detect, prevent, and mitigate risks so that valuable assets remain secure, available, and reliable.

These controls can take many forms:
- Technical controls (e.g., firewalls, encryption, intrusion detection systems).
- Administrative controls (e.g., policies, training, incident response procedures).
- Physical controls (e.g., locked server rooms, surveillance cameras, security guards).
By combining these safeguards, organizations create a layered defense strategy that reduces vulnerabilities, ensures regulatory compliance, and strengthens resilience against cyberattacks.

Security Controls Functions
- Deterrent Controls
  - Purpose: Reduce the likelihood of a deliberate attack by discouraging malicious actors.
  - How they work: These controls create the perception that an attack will fail or that the attacker will be caught.
- Preventive Controls
  - Purpose: Stop an attack from happening in the first place.
  - How they work: They block or restrict malicious activity before it causes harm.
- Detective Controls
  - Purpose: Identify when an attack or suspicious activity is happening.
  - How they work: These controls monitor, log, and alert when anomalies or breaches occur.
- Corrective Controls
  - Purpose: Reverse or minimize the damage caused by an incident once it has occurred.
  - How they work: They aim to contain the attack, fix vulnerabilities, and prevent recurrence.
- Recovery Controls
  - Purpose: Restore systems and operations back to their normal condition after an incident.
  - How they work: They ensure business continuity and help the organization return to a fully functional state.
These five functions create a comprehensive security strategy: deterrence (discouraging attacks), prevention (preventing incidents), detection (spotting issues), correction (fixing problems), and recovery (restoring normal operations).

Physical
- Deterrent (Discourage attacks or intrusions)
  - Purpose: Make potential attackers think twice before attempting unauthorized access or damage.
  - Examples:
    
    Warning signs (e.g., “Authorized Personnel Only,” “24/7 Surveillance”).
    
    Visible security guards or patrols.
    
    Well-lit areas around buildings to reduce concealment opportunities.
    
    Fake cameras or dummy equipment (sometimes used to discourage casual intruders).
- Preventive (Block attacks before they occur)
  - Purpose: Create physical barriers to stop unauthorized entry or access.
  - Examples:
    
    Fences and gates securing the perimeter.
    
    Locked doors and cabinets for sensitive equipment.
    
    Biometric access controls (fingerprint, iris scan).
    
    Turnstiles or mantraps in secure facilities.
    
    Security guards checking IDs at entrances.
- Detective (Identify intrusions or incidents in progress)
  - Purpose: Monitor and detect unauthorized activities or physical breaches.
  - Examples:
    
    CCTV (Closed-Circuit Television) for surveillance and evidence collection.
    
    Motion detectors and alarms to spot unusual activity.
    
    Access logs from card readers or biometric scanners.
    
    Environmental sensors (smoke detectors, water leak detectors, temperature sensors).
- Corrective (Mitigate damage after an incident)
  - Purpose: Limit the impact of a physical incident and help restore security.
  - Examples:
    
    Fire suppression systems (sprinklers, inert gas systems) to minimize fire damage.
    
    Emergency response teams handling breaches or accidents.
    
    Lock rekeying or reprogramming after lost/stolen keys or badges.
    
    Containment measures (e.g., sealing off flooded or contaminated areas).
- Recovery (Return to normal operations)
  - Purpose: Restore physical infrastructure and operations after a disruption.
  - Examples:
    
    Disaster recovery sites (alternate office locations or data centers).
    
    Repairing physical damage to buildings, power systems, or equipment.
    
    Restoring utilities (electricity, HVAC, internet connectivity).
    
    Relocating staff and assets temporarily until the primary site is functional again.
Technical
- Deterrent (Discourage attacks or misuse)
  - Purpose: Reduce the likelihood of malicious activity by warning or discouraging attackers before they act.
  - Examples:
    
    Security banners on login screens (e.g., “Access restricted—unauthorized use will be monitored and prosecuted”).
    
    System-generated warnings (e.g., failed login attempt alerts).
    
    False directories or dummy accounts designed to frustrate and deter intruders.
- Preventive (Block attacks before they happen)
  - Purpose: Actively prevent threats from penetrating systems or networks.
  - Examples:
    
    Firewalls to filter unauthorized traffic.
    
    Multi-Factor Authentication (MFA) to stop credential-based attacks.
    
    Encryption to prevent data theft during transit or at rest.
    
    Access control lists (ACLs) to restrict user privileges.
    
    Endpoint security software (antivirus, anti-malware).
- Detective (Identify malicious activity in progress)
  - Purpose: Monitor, detect, and alert on suspicious activities or intrusions.
  - Examples:
    
    SIEM (Security Information and Event Management) for real-time log analysis and threat detection.
    
    IDS (Intrusion Detection Systems) to flag unauthorized access attempts.
    
    Honeypots and honeynets to lure attackers and study their tactics.
    
    Anomaly detection systems to identify unusual traffic patterns or user behaviors.
    
    File integrity monitoring to detect unauthorized modifications.
- Corrective (Mitigate damage after detection)
  - Purpose: Contain, remove, or repair the impact of a cyber incident.
  - Examples:
    
    Applying security patches to close vulnerabilities.
    
    Quarantining malware to prevent further spread.
    
    Disabling compromised accounts to stop unauthorized activity.
    
    Reconfiguring firewalls or access controls after a breach.
    
    Updating signatures in intrusion prevention systems.
- Recovery (Restore systems to normal operations)
  - Purpose: Bring systems back to a secure, functional state after an attack or failure.
  - Examples:
    
    Data backups and restores (offsite, cloud-based, or local).
    
    Disaster recovery solutions (secondary data centers, cloud failover).
    
    System reimaging to ensure a clean, uncompromised environment.
    
    Redundancy mechanisms (RAID, load balancing, failover clustering).
    
    Business continuity tools ensuring minimal downtime.
Administrative
- Deterrent (Discourage violations or malicious behavior)
  - Purpose: Set expectations and warn users or potential attackers of consequences for policy violations or malicious activity.
  - Examples:
    
    Policies and procedures clearly outlining acceptable use, password management, and data handling rules.
    
    Code of conduct agreements that employees must sign before accessing systems.
    
    Awareness campaigns that emphasize disciplinary actions for security breaches.
    
    Regulatory compliance mandates (e.g., HIPAA, GDPR, PCI-DSS) that carry penalties for noncompliance.
- Preventive (Stop incidents before they occur)
  - Purpose: Establish administrative measures to reduce the chance of security breaches.
  - Examples:
    
    Separation of duties (no single individual has complete control over a critical process, reducing insider threats).
    
    Data classification policies to ensure sensitive information is handled appropriately.
    
    User training and awareness programs to prevent phishing and social engineering attacks.
    
    Background checks during hiring to reduce insider threat risk.
    
    Access approval processes requiring managerial authorization.
- Detective (Identify policy violations or suspicious activities)
  - Purpose: Provide oversight to detect security incidents and ensure compliance with policies.
  - Examples:
    
    Audit logs and reviews to track user activity.
    
    Regular compliance audits to verify adherence to security policies.
    
    Internal investigations into unusual or suspicious behavior.
    
    Security assessments and penetration tests to detect weaknesses.
- Corrective (Limit damage and restore order after incidents)
  - Purpose: Define structured administrative processes to mitigate the impact of a security event.
  - Examples:
    
    Incident Response Plan (IRP) with roles, responsibilities, and steps for handling incidents.
    
    Business Continuity Plan (BCP) to maintain essential operations during disruptions.
    
    Policy updates and retraining after identifying gaps that contributed to an incident.
    
    Post-incident reviews (lessons learned) to improve future resilience.
- Recovery (Return operations to normal conditions)
  - Purpose: Establish high-level organizational measures to fully recover from significant disruptions.
  - Examples:
    
    Disaster Recovery Plan (DRP) for restoring IT infrastructure and operations after major incidents.
    
    Communication plans for informing stakeholders during recovery.
    
    Succession planning to ensure leadership continuity during crises.
    
    Periodic DR/BCP testing (tabletop exercises, simulations) to validate readiness.
May 19, 2026
Identification, Authentication, Authorization, and Accountability
Identification

Identification is the process of claiming or declaring an identity, where a person, system, or object presents information that indicates who or what they are. It is the first step in identity verification, often involving credentials such as a username, ID number, card, or biometric data that represent the claimed identity. Identification by itself does not prove authenticity; instead, it signals the intent of the entity to be recognized, which is later confirmed through authentication mechanisms. This process is essential in security systems, as it establishes the basis for determining access rights and privileges.
- Username
- SSN
Example

id # command that shows user identity information (UID, GID, groups)
```
id
```
whoami # command that prints the current logged-in username
```
whoami
```
Authentication

Authentication is the process of verifying that a claimed identity is valid by confirming that the person, system, or object truly is who or what they assert to be. It typically follows identification and uses various methods such as passwords, PINs, security tokens, smart cards, or biometrics like fingerprints and facial recognition. Authentication can be implemented through single-factor, two-factor, or multi-factor approaches, depending on the required security level. By validating the authenticity of an identity before granting access, authentication helps prevent unauthorized use, strengthens trust, and protects sensitive systems and data.

Authentication factors
- Something you know
  - Password
    
    A sequence of characters that identifies a user
  - Personal Identification Number (PIN)
    
    A sequence of numbers that identifies a user
- Something you have
  - Passport
    
    A travel document issued by a government that verifies their identity and international travel
  - Smartphone
    
    A cellular telephone with an integrated computer
  - Smart Card
    
    A physical plastic card with an embedded microprocessor that stores and processes data (It acts as a security token)
  - Token
    
    A device that’s used to gain access to restricted resource (Might include name, password, key, certificate, group, privilege)
- Something you are
  - Fingerprint
    
    A unique pattern made by a person’s fingertip friction ridges
  - Facial recognition
    
    A technology that identifies a user based on their faces
  - Iris Scan
    
    A technology that identifies a user based on their iris
- Somewhere you are
  - IP address
    
    A logical network address that is used to locate the device
  - MAC Address
    
    A physical network address that is used to locate the device
- Something you do
  - Pattern unlock
    
    A technology that identifies a user based on drawing a specific pattern
  - Picture Password
    
    A technology that identifies a user based on selection of images
Example

passwd # command used to set or change a user’s password in Linux
```
passwd
```
Authorization

Authorization is the process of determining what actions, resources, or services a person, system, or object is permitted to access after their identity has been successfully verified through authentication. It defines the level of access granted, such as whether a user can read, modify, delete, or execute specific files, applications, or functions. Authorization is typically enforced through policies, access control lists, or role-based access control (RBAC), ensuring that users only perform actions aligned with their roles and responsibilities. This step is critical for enforcing the principle of least privilege, reducing security risks, and protecting sensitive information from misuse or unauthorized access.
- Access Control
  - A security technique to protect a system against unauthorized access
Example

echo # command that prints text to the terminal or output stream
“example” # the text string being displayed
> # output redirection operator
file # the file where the output will be written (created or overwritten)
```
echo "QeeqBox" > file
```
sudo # run the command with administrative (root) privileges
groupadd # command used to create a new group in Linux
sales # name of the group being created
```
sudo groupadd sales
```
chown # command to change ownership of a file
john # user who will become the new owner
file.txt # file whose ownership is being changed
```
chown john file.txt
```
chgrp # command to change group ownership of a file
sales # group that will become the new group owner
file.txt # file whose group is being changed
```
chgrp sales file.txt
```
Accountability (Auditing)

Accountability (Auditing) is the ability to trace actions, events, or system changes back to a specific individual, system, or object, ensuring that every activity within an environment can be attributed to its source. It involves maintaining detailed logs, audit trails, and monitoring mechanisms that record who did what, when, and how. Accountability helps detect misuse, supports investigations, enforces compliance with policies and regulations, and promotes responsible behavior by making users aware that their actions are being tracked. By providing transparency and traceability, auditing strengthens overall security and trust within an organization’s systems.
- Audit logs
Example

who # shows currently logged-in users on the system
```
who
```
last # shows history of user logins and system reboots
```
last
```
sudo # runs the command with root (admin) privileges
cat # command used to display file contents
/var/log/auth.log # system authentication log file (login, sudo, SSH events)
```
sudo cat /var/log/auth.log
```
Identity Management (IdM)

Identity Management (IdM) is the process of managing and controlling digital identities within an organization or system. It involves creating, maintaining, and governing user accounts, as well as assigning appropriate access rights and permissions based on roles or responsibilities. IdM ensures that only authorized individuals can access specific resources, applications, or data, while also maintaining compliance and security. This process includes activities such as authentication, authorization, password management, and account lifecycle management, helping to protect sensitive information and streamline user access.

Example

sudo # run command with admin (root) privileges
useradd # command to create a new user account
john # username being created
```
sudo useradd john
```
sudo # run command with admin (root) privileges
passwd # command to set/change a user password
john # username whose password is being set
```
sudo passwd john
```
Access Management (AM)

Access Management (AM) is the process of ensuring that people, systems, or objects have the appropriate level of access to resources, applications, and data based on their roles and responsibilities. It deals specifically with permissions and privileges, determining what a user or entity can do once authenticated. AM enforces policies such as granting, restricting, or revoking access, often using methods like role-based access control (RBAC), attribute-based access control (ABAC), or least privilege principles. By managing access effectively, organizations can reduce the risk of unauthorized activities, protect sensitive assets, and maintain compliance with security and regulatory requirements.

Example

echo # command that prints text to the terminal or output stream
“example” # the text string being displayed
> # output redirection operator
file # the file where the output will be written (created or overwritten)
```
echo "QeeqBox" > file
```
sudo # run the command with administrative (root) privileges
groupadd # command used to create a new group in Linux
sales # name of the group being created
```
sudo groupadd sales
```
chown # command to change ownership of a file
john # user who will become the new owner
file.txt # file whose ownership is being changed
```
chown john file.txt
```
chgrp # command to change group ownership of a file
sales # group that will become the new group owner
file.txt # file whose group is being changed
```
chgrp sales file.txt
```
Identity and Access Management (IAM)

Identity and Access Management (IAM) is the integrated framework of policies, processes, and technologies used to manage and control digital identities while ensuring that users, systems, or objects have the appropriate level of access to organizational resources. It combines Identity Management (IdM), which focuses on creating and maintaining digital identities, with Access Management (AM), which governs permissions and privileges. IAM solutions handle authentication, authorization, and account lifecycle management, enforcing security principles like least privilege and separation of duties. By implementing IAM, organizations can safeguard sensitive data, streamline user access, improve operational efficiency, and ensure compliance with industry regulations.
May 16, 2026
Access Controls
Access Controls

Access Control is a security technique that regulates who or what can view, use, or interact with resources in a system, thereby protecting it against unauthorized access. It involves defining and enforcing policies that determine permissions based on user roles, attributes, or contexts, ensuring that only authorized entities can perform specific actions. Common models include Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC), each offering different levels of granularity and security. By restricting access to sensitive data and critical systems, access control minimizes risks, supports compliance, and upholds the confidentiality, integrity, and availability of information.

Attribute-based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is an access control model that grants or denies access to resources based on a combination of attributes associated with users, resources, actions, and the environment. Attributes can include factors such as a user’s role, department, security clearance, location, time of access, or even device type. ABAC policies use logical rules to evaluate these attributes and determine whether access should be permitted, making it highly flexible and context-aware. Unlike role-based models, ABAC allows more fine-grained control, enabling organizations to enforce dynamic and situation-specific access decisions that strengthen security and compliance.
- User attributes
- Object attributes
- Environment conditions
Example

user_attrs = { # dictionary storing attributes for each user
“john”: {“role”: “admin”, “department”: “IT”}, # john is admin in IT department
“jane”: {“role”: “dev”, “department”: “Sales”} # jane is developer in Sales department
}

resource_attrs = { # dictionary storing attributes for each resource
“apache.log”: {“department”: “IT”, “sensitivity”: “high”}, # IT log file with high sensitivity
“report.txt”: {“department”: “Sales”, “sensitivity”: “low”} # Sales report with low sensitivity
}

def check_access(user, resource):
user_attrs.get(user) # attempt to fetch user attributes (unused redundant line)
if not user_attrs.get(user) or not resource_attrs.get(resource): # check if user or resource exists
return False # deny access if either is missing
if user_attrs.get(user)[“department”] == resource_attrs.get(resource)[“department”]: # check department match
return True # allow access if user and resource belong to same department
if user_attrs.get(user)[“role”] == “admin”: # check if user has admin role
return True # allow access if user is admin
return False # deny access if no rules matched

print(check_access(“john”, “apache.log”)) # test access for john to apache.log (Will be successful)
print(check_access(“jane”, “apache.log”)) # test access for jane to apache.log (will fail)
```
user_attrs = {
    "john": {"role": "admin", "department": "IT"},
    "jane": {"role": "dev", "department": "Sales"}
}
resource_attrs = {
    "apache.log": {"department": "IT", "sensitivity": "high"},
    "report.txt": {"department": "Sales", "sensitivity": "low"}
}

def check_access(user, resource):
    user_attrs.get(user)
    if not user_attrs.get(user) or not resource_attrs.get(resource):
        return False
    if user_attrs.get(user)["department"] == resource_attrs.get(resource)["department"]:
        return True
    if user_attrs.get(user)["role"] == "admin":
        return True
    return False

print(check_access("john", "system_logs"))
print(check_access("jane", "system_logs"))
```
Output
```
True
False
```
Discretionary Access Control (DAC)

Discretionary Access Control (DAC) or Owner-based Access Control is an access control model in which the owner of a resource has the authority to decide who can access it and what level of access is granted. This model relies on Access Control Lists (ACLs), which are used to specify the permissions for individual users or groups, such as read, write, or execute rights. DAC provides flexibility by allowing owners to manage access to their resources directly, but it can also introduce security risks if permissions are misconfigured or broadly shared. It is widely used in operating systems and file systems, where individual users control access to their own files while maintaining a balance between usability and security.
- The data owner of an organization determines the level of access
Example

files = { # dictionary storing file ownership and permissions
“report.txt”: { # file name key in the system
“owner”: “alice”, # user who owns the file (has highest control in DAC)
“permissions”: { # permission rules for users and others
“alice”: “rw”, # owner permissions: read and write
“sales”: “r”, # sales group can only read the file
“others”: “r” # default permissions for all other users
}
}
}

def can_access(user, file, action):
if not files.get(file): # check if the requested file exists in the system
return False # deny access if file is not found
if user in files.get(file)[“permissions”] and action in files.get(file)[“permissions”][user]: # check if user has explicit permission
return True # allow access if user has matching permission for the action
return action in files.get(file)[“permissions”][“others”] # fallback to “others” permission if no user-specific rule exists

print(can_access(“alice”, “report.txt”, “r”)) # owner access (expected True because alice has rw)
print(can_access(“alice”, “report.txt”, “x”)) # invalid action for owner (expected False because “x” not in rw)
print(can_access(“salse”, “report.txt”, “r”)) # salse has read permission (expected True)
print(can_access(“test”, “report.txt”, “r”)) # unknown user treated as “others” (expected True because others = r)
```
files = {
    "report.txt": {
        "owner": "alice",
        "permissions": {
            "alice": "rw",
            "sales": "r",
            "others": "r"
        }
    }
}

def can_access(user, file, action):
    if not files.get(file):
        return False
    if user in files.get(file)["permissions"] and action in files.get(file)["permissions"][user]:
        return True
    return action in files.get(file)["permissions"]["others"]

print(can_access("alice", "report.txt", "r"))
print(can_access("alice", "report.txt", "x"))
print(can_access("sales", "report.txt", "r"))
print(can_access("test", "report.txt", "r"))
```
Output
```
True
False
True
True
```
Graph-based Access Control (GBAC)

Graph-Based Access Control (GBAC) is an access control model that determines permissions based on the relationships between data, users, and resources within a system. In GBAC, entities and their interactions are represented as nodes and edges in a graph, allowing access decisions to be made by analyzing these connections. For example, a user’s access to a document might depend on their relationship to the document’s owner or their position within an organizational network. This model provides fine-grained, context-aware control, enabling organizations to enforce dynamic policies that reflect complex real-world relationships, making it particularly useful in social networks, collaborative environments, and interconnected data systems.
- Using an organizational query language (john -> admin_role -> IT_access -> apache.log)
Example

graph = { # GBAC graph showing relationships between users, roles, and resources

“john”: [“admin_role”], # john is assigned to admin role
“jane”: [“sales_role”], # jane is assigned to sales role

“admin_role”: [“IT_access”, “Security_access”], # admin role grants IT and security access
“sales_role”: [“Salesforce_access”], # sales role grants Salesforce access

“IT_access”: [“apache.log”, “system_logs”], # IT access allows system logs and apache logs
“Security_access”: [“security.log”], # security access allows security logs
“Salesforce_access”: [“report.txt”, “app_code”] # salesforce access allows reports and code access
}

def check_access(user, resource): # function to check access using graph traversal
def depth_first_search(node, target, visited=None): # depth-first search to traverse graph
if visited is None:
visited = set() # track visited nodes to avoid loops
if node == target: # if target resource is reached
return True # access is allowed
visited.add(node) # mark current node as visited
for neighbor in graph.get(node, []): # explore connected nodes
if neighbor not in visited: # avoid revisiting nodes
if depth_first_search(neighbor, target, visited): # recursive search
return True # access granted if path found
return False # no valid path found
return depth_first_search(user, resource) # start search from user node

print(check_access(“john”, “apache.log”)) # True (john -> admin_role -> IT_access -> apache.log)
print(check_access(“jane”, “app_code”)) # True (jane -> sales_role -> Salesforce_access -> app_code)
print(check_access(“jane”, “security.log”)) # False (no path from jane to security.log)
```
graph = {
    "john": ["admin_role"],
    "jane": ["sales_role"],
    "admin_role": ["IT_access", "Security_access"],
    "sales_role": ["Salesforce_access"],
    "IT_access": ["apache.log", "system_logs"],
    "Security_access": ["security.log"],
    "Salesforce_access": ["report.txt", "app_code"]
}

def check_access(user, resource):
    def depth_first_search(node, target, visited=None):
        if visited is None:
            visited = set()
        if node == target:
            return True
        visited.add(node)
        for neighbor in graph.get(node, []):
            if neighbor not in visited:
                if depth_first_search(neighbor, target, visited):
                    return True
        return False
    return depth_first_search(user, resource)

print(check_access("john", "apache.log"))
print(check_access("jane", "app_code"))
print(check_access("jane", "security.log"))
```
Output
```
True
True
False
```
History-Based Access Control (HBAC)

History-Based Access Control (HBAC) is an access control model that determines whether a user, system, or object can access a resource based on the evaluation of their past activities or behavior. Unlike static models, HBAC dynamically considers a history of actions (such as previous logins, transaction patterns, or resource usage) to make real-time access decisions. For example, a user who has performed unusual or risky actions in the past may be temporarily restricted from sensitive operations. By leveraging behavioral history, HBAC enhances security, helps prevent misuse, and enables more context-aware, adaptive access control that responds to potential threats or anomalies as they occur.
- A user declined access to sensitive info because of past behavior
Example

user_history = { # stores past actions performed by each user
“john”: [“success_login”, “read_log”, “write_log”], # john’s activity history
“jane”: [“success_login”, “failed_login”, “read_report”] # jane’s activity history
}

restricted_actions = [“failed_login”, “security_violation”] # actions that indicate risky or bad behavior

def check_access(user, action): # function to decide access based on user history
history = user_history.get(user, []) # get user history or empty list if user not found
for event in history: # loop through each past action in user’s history
if event in restricted_actions: # check if any action is considered risky
return False # deny access if bad behavior is found in history
return True # allow access if no restricted actions are found

print(check_access(“john”, “access_log”)) # check access for john (expected True)
print(check_access(“jane”, “access_log”)) # check access for jane (expected False due to failed_login)
```
user_history = {
    "john": ["success_login", "read_log", "write_log"],
    "jane": ["success_login", "failed_login", "read_report"]
}

restricted_actions = ["failed_login", "security_violation"]

def check_access(user, action):

    history = user_history.get(user, [])
    for event in history:
        if event in restricted_actions:
            return False
    return True

print(check_access("john", "access_log"))
print(check_access("jane", "access_log"))
```
Output
```
True
False
```
Identity-Based Access Control (IBAC)

Identity-Based Access Control (IBAC) is an access control model in which access to resources is granted or denied based on the specific identity of an individual user rather than a group or role. Each user is assigned explicit permissions that define what actions they can perform on particular resources, ensuring precise, user-specific control. This model provides a high level of granularity and accountability, as every action can be traced directly to a single identity. IBAC is particularly useful in environments where individualized access policies are required, such as sensitive data systems, administrative applications, or scenarios demanding strict auditing and compliance.
- A specific user has access to sensitive information
Example

access_list = { # dictionary mapping user identity to allowed resources
“john”: [“apache.log”, “system_logs”], # john can access apache.log and system_logs
“jane”: [“report.txt”] # jane can only access report.txt
}

def check_access(user, resource):
allowed_resources = access_list.get(user, []) # get list of resources allowed for the user
if resource in allowed_resources: # check if requested resource is in user’s allowed list
return True # allow access if resource is found
return False # deny access if resource is not found

print(check_access(“john”, “apache.log”)) # True (john has access)
print(check_access(“john”, “report.txt”)) # False (john not allowed)
print(check_access(“jane”, “report.txt”)) # True (jane has access)
```
access_list = {
    "john": ["apache.log", "system_logs"],
    "jane": ["report.txt"]
}

def check_access(user, resource):
    allowed_resources = access_list.get(user, [])
    if resource in allowed_resources:
        return True
    return False

print(check_access("john", "apache.log"))
print(check_access("john", "report.txt"))
print(check_access("jane", "report.txt"))
```
Output
```
True
False
True
```
Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is an access control model in which access to resources is strictly regulated by policies set by a central authority rather than by individual users. In MAC, every user and resource is assigned a classification or security label, and access decisions are made based on these labels according to predefined rules. Users cannot change permissions on the resources they own, ensuring that access is enforced consistently and in compliance with organizational or regulatory requirements. This model is commonly used in highly secure environments, such as government, military, and critical infrastructure systems, where strict control and data confidentiality are paramount.
- A user must demonstrate a need for the information before granting access
Example

security_labels = { # dictionary assigning security clearance levels to users
“john”: “secret”, # john has secret-level clearance
“jane”: “confidential” # jane has confidential-level clearance
}

resource_labels = { # dictionary assigning classification levels to resources
“apache.log”: “secret”, # apache.log is classified as secret
“report.txt”: “confidential” # report.txt is classified as confidential
}

levels = { # mapping of security levels to numeric values for comparison
“public”: 1, # lowest security level
“confidential”: 2, # medium security level
“secret”: 3 # highest security level
}

def check_access(user, resource): # function to evaluate MAC policy
user_level = levels.get(security_labels.get(user, “public”)) # get numeric clearance level of user
resource_level = levels.get(resource_labels.get(resource, “public”)) # get numeric classification level of resource
if user_level >= resource_level: # MAC rule: user must have equal or higher clearance than resource
return True # allow access if condition is satisfied
return False # deny access if clearance is too low

print(check_access(“john”, “apache.log”)) # True (secret >= secret)
print(check_access(“jane”, “apache.log”)) # False (confidential < secret)
print(check_access(“jane”, “report.txt”)) # True (confidential >= confidential)
```
security_labels = {
    "john": "secret",
    "jane": "confidential"
}

resource_labels = {
    "apache.log": "secret",
    "report.txt": "confidential"
}

levels = {
    "public": 1,
    "confidential": 2,
    "secret": 3
}

def check_access(user, resource):
    user_level = levels.get(security_labels.get(user, "public"))
    resource_level = levels.get(resource_labels.get(resource, "public"))
    if user_level >= resource_level:
        return True
    return False

print(check_access("john", "apache.log"))
print(check_access("jane", "apache.log"))
print(check_access("jane", "report.txt")) 
```
Output
```
True
False
True
```
Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is an access control model in which access to resources and permissions is granted based on a user’s role within an organization rather than on an individual basis. Each role is assigned specific access rights that correspond to the responsibilities and tasks associated with that role, and users are then assigned to one or more roles. This approach simplifies administration by allowing permissions to be managed collectively for roles instead of individually for each user, reduces the risk of excessive privileges, and supports the principle of least privilege. RBAC is widely used in enterprise systems to enforce consistent security policies, streamline user management, and maintain compliance with regulatory standards.
- Job title
user_roles = { # dictionary mapping each user to a role
“john”: “admin”, # john is assigned the admin role
“jane”: “developer” # jane is assigned the developer role
}

role_permissions = { # dictionary mapping roles to allowed resources
“admin”: [“apache.log”, “report.txt”], # admin role can access both resources
“developer”: [“report.txt”] # developer role can only access report.txt
}

def check_access(user, resource): # function to check access based on role
role = user_roles.get(user) # get the role assigned to the user
if not role: # check if user has a valid role
return False # deny access if no role is assigned
allowed_resources = role_permissions.get(role, []) # get resources allowed for that role
if resource in allowed_resources: # check if resource is allowed for the role
return True # allow access if resource is in role permissions
return False # deny access if resource is not permitted

print(check_access(“john”, “apache.log”)) # True (admin has access)
print(check_access(“jane”, “apache.log”)) # False (developer does not have access)
print(check_access(“jane”, “report.txt”)) # True (developer has access)
```
user_roles = {
    "john": "admin",
    "jane": "developer"
}

role_permissions = {
    "admin": ["apache.log", "report.txt"],
    "developer": ["report.txt"]
}

def check_access(user, resource):
    role = user_roles.get(user)
    if not role:
        return False
    allowed_resources = role_permissions.get(role, [])
    if resource in allowed_resources:
        return True
    return False

print(check_access("john", "apache.log"))
print(check_access("jane", "apache.log"))
print(check_access("jane", "report.txt"))
```
Output
```
True
False
True
```
Rule-Based Access Control (RAC)

Rule-Based Access Control (RAC) is an access control model in which access to resources is determined by a predefined set of rules or conditions established by the system or administrator. These rules evaluate factors such as time of access, location, device type, or specific actions being attempted to decide whether access should be granted or denied. Unlike role-based or identity-based models, RAC enforces dynamic policies that can automatically adapt to context or system states, making it suitable for environments that require flexible, policy-driven control. By using clearly defined rules, RAC helps maintain security, ensure compliance, and reduce the risk of unauthorized access while allowing automated, consistent decision-making.
- Allowing access to a resource using ip, time and role
Example

def check_access(user, resource, hour, ip): # function to evaluate access based on system rules
if hour < 8 or hour > 17: # rule: allow access only during business hours (8 AM to 5 PM)
return False # deny access if outside allowed time window
if not ip.startswith(“10.1.”): # rule: allow only trusted internal network IP range
return False # deny access if IP is not from trusted subnet
if resource == “apache.log” and user != “admin”: # rule: only admin can access sensitive log file
return False # deny access if non-admin tries to access apache.log
return True # allow access if all rules pass

print(check_access(“admin”, “apache.log”, 9, “10.1.1.10”)) # True (admin, valid time, trusted IP)
print(check_access(“jane”, “apache.log”, 9, “10.1.1.10”)) # False (not admin)
print(check_access(“admin”, “report.txt”, 9, “10.2.0.5”)) # False (untrusted IP)
```
def check_access(user, resource, hour, ip):
    if hour < 8 or hour > 17:
        return False
    if not ip.startswith("10.1."):
        return False
    if resource == "apache.log" and user != "admin":
        return False
    return True

print(check_access("admin", "apache.log", 9, "10.1.1.10"))
print(check_access("jane", "apache.log", 9, "10.1.1.10"))
print(check_access("admin", "report.txt", 9, "10.2.0.5"))
```
Output
```
True
False
True
```
Responsibility-Based Access Control (ReBAC)

Responsibility-Based Access Control (ReBAC) is an access control model in which access to resources is granted based on the specific responsibilities assigned to a user or group of users. Unlike role-based models that focus on general job roles, ReBAC ties permissions directly to the duties or tasks a user is expected to perform, ensuring that access is closely aligned with operational responsibilities. This approach enforces the principle of least privilege, as users receive only the access necessary to fulfill their assigned duties. ReBAC is particularly useful in complex or task-oriented environments, where security and accountability must be balanced with operational efficiency.
- Data engineer has access to a backup management interface
Example

responsibilities = { # maps users to the tasks they are responsible for
“john”: [“incident_6998”, “server_backup”], # john is responsible for incident handling and backups
“jane”: [“ticket_3467”, “report_review”] # jane is responsible for ticket handling and report review
}

task_resources = { # maps each task to the resource it controls
“incident_6998”: “apache.log”, # incident task gives access to apache log
“ticket_3467”: “report.txt”, # ticket task gives access to report file
“server_backup”: “backup.log”, # backup task gives access to backup logs
“report_review”: “report.txt” # report review task gives access to report file
}

def check_access(user, resource): # function to check access based on responsibilities
user_tasks = responsibilities.get(user, []) # get all tasks assigned to the user
for task in user_tasks: # loop through each responsibility/task
if task_resources.get(task) == resource: # check if task maps to requested resource
return True # allow access if match is found
return False # deny access if no responsibility matches the resource

print(check_access(“john”, “apache.log”)) # True (john is responsible for incident_6998)
print(check_access(“jane”, “apache.log”)) # False (jane has no matching responsibility)
print(check_access(“jane”, “report.txt”)) # True (jane responsible for ticket_3467 or report_review)
```
responsibilities = {
    "john": ["incident_6998", "server_backup"],
    "jane": ["ticket_3467", "report_review"]
}

task_resources = {
    "incident_6998": "apache.log",
    "ticket_3467": "report.txt",
    "server_backup": "backup.log",
    "report_review": "report.txt"
}

def check_access(user, resource):
    user_tasks = responsibilities.get(user, [])
    for task in user_tasks:
        if task_resources.get(task) == resource:
            return True
    return False

print(check_access("john", "apache.log"))
print(check_access("jane", "apache.log"))
print(check_access("jane", "report.txt"))
```
Output
```
True
False
True
```
May 16, 2026
CIA Triad
CIA Triad

The CIA Triad is a fundamental cybersecurity model that encompasses three key principles for protecting information systems and data: Confidentiality, Integrity, and Availability. This model provides a straightforward framework for designing security controls and assessing risks, ensuring that information remains protected, accurate, and accessible when needed. These principles guide organizations in securing their systems, responding to threats, and managing data protection across various environments.

Confidentiality

Confidentiality is the principle of protecting information from unauthorized access, use, or disclosure. It ensures that data is accessible only to individuals who have been explicitly granted permission to view or handle it. This protection applies whether the data is stored, processed, or transmitted.

To maintain confidentiality, organizations store data in secure locations and use access controls such as passwords, file permissions, encryption, and authentication systems. They implement policies and technical safeguards to prevent sensitive information from being accessed by unauthorized users, accidentally exposed, or intentionally leaked.

Overall, confidentiality ensures that private or sensitive data remains “hidden” from unauthorized users, keeping it safe in a controlled, secure environment.

Example

Access is restricted so that only the file owner can read and write the file.

chmod # change file permissions command
600 # owner read/write only, no permissions for group or others
file.txt # target file to apply permissions
```
chmod 600 file.txt
```
Integrity

Integrity is the principle that ensures data remains accurate, complete, and trustworthy throughout its lifecycle. It means that information should not be altered, deleted, or manipulated by unauthorized users, whether intentionally or accidentally. When data integrity is maintained, users can trust that the information is correct and consistent.

To protect integrity, systems employ controls such as permissions, checksums, hashing, audit logs, and version control. These mechanisms help detect or prevent unauthorized changes, ensuring that any data modifications are tracked and approved.

Overall, integrity guarantees that data remains reliable and unchanged unless properly authorized, making it trustworthy for decision-making and operations.

Example

A hash value is generated to verify that the file contents have not changed..

sha256sum # command to compute SHA-256 hash of a file
message.txt # target file whose integrity is being checked
```
sha256sum message.txt
```
Availability

Availability is the principle that ensures data and systems are accessible to authorized users whenever necessary. This means that information, applications, and services should be reliably accessible without unnecessary delays or downtime.

To maintain availability, organizations implement measures such as backups, redundancy, failover systems, load balancing, and disaster recovery plans. These controls ensure that even if hardware fails, networks go down, or unexpected incidents occur, users can still access the data they are authorized to use.

Overall, availability ensures that information is readily accessible to the right people at the right time, supporting continuous, reliable operations.

Example

The status of a web service is checked to ensure it is running and available for users.

systemctl # systemd command to control and manage services
status # check the current state of a service
apache2 # the Apache web server service being checked
```
systemctl status apache2
```
Authenticity

Authenticity is the principle that guarantees data, users, or systems are genuine and verifiable as coming from a trusted and legitimate source. It ensures that information has not been falsified or impersonated and that communication or data originates from the claimed sender.

To maintain authenticity, systems employ various methods such as digital signatures, certificates, multi-factor authentication, cryptographic keys, and identity verification protocols. These mechanisms help validate identities and ensure that interactions between users and systems are trustworthy.

Overall, authenticity enables you to trust the source of the data or user you are interacting with, preventing impersonation and the spread of fake or misleading information.

Example

A digital signature is verified to confirm the sender’s identity.

gpg # GNU Privacy Guard tool used for encryption and signature verification
–verify # option to verify a digital signature
signed_message.txt.sig # signature file used to confirm authenticity
message.txt # original file being verified against the signature
```
gpg --verify signed_message.txt.sig message.txt
```
Non-repudiation

Non-repudiation is a security principle that guarantees an individual or system cannot deny having performed a specific action. It provides proof of both origin and integrity, allowing actions such as sending messages, approving transactions, or modifying data to be reliably attributed to a specific actor.

To achieve non-repudiation, systems employ mechanisms like digital signatures, cryptographic keys, audit logs, timestamps, and secure authentication records. These tools generate verifiable evidence that a particular user or system executed a specific action and that the action has not been altered afterward.

Overall, non-repudiation ensures accountability by making it impossible for someone to credibly deny their actions within a system.

Example

A digital signature is created to prove who signed the file.

gpg # GNU Privacy Guard tool for encryption and signing
–sign # create a digital signature to prove authorship and ensure integrity
message.txt # file being signed to provide proof of origin and non-repudiation
```
gpg --sign message.txt
```
May 16, 2026