Domain 3 of 5

Access Controls

Domain · 22% of the CC exam

One question runs through the whole domain: who is allowed to reach what, and the answer is enforced in two places

Access control is the process of granting or denying a request to use information, a system, or a physical facility, and NIST writes a single definition for both because it is one idea wearing two coats. A subject (a person, process, or device) wants to reach an object (a file, a server, a room), and a control decides yes or no. The trap the CC exam sets is treating these as separate worlds: a flawless firewall protects nothing if an intruder can walk to the rack and pull the drive, and the strongest door protects nothing if a logged-in account can read every file. So this domain teaches you to ask the same question twice, once of the building and once of the system, and to recognize that an answer is only as good as its weaker realm. Worth 22% of the exam, this is one of the most heavily weighted domains, behind Security Principles (26%) and Network Security (24%).

The domain unfolds in two complementary realms, each a layered defense rather than one strong control

Read the two subtopics as the two coats of that one idea. First, Physical Access Controls covers the building and the people in it: how locks, gates, badge readers, guards, and cameras keep unauthorized people away from the hardware, and how site design and monitoring back them up. Reach for it whenever a scenario puts a body in a space. Second, Logical Access Controls covers the systems and data: how software grants or denies a subject the use of an object, governed by two principles (least privilege and separation of duties) and three models (DAC, MAC, RBAC). Reach for it whenever a scenario is about who may open a resource. Both realms share a shape worth holding in mind: no single control is enough, so each stacks many controls so that what one misses another catches. Physically this is the deter, deny, detect, delay, respond chain; logically it is principles applied on top of a model. The single most common exam mistake is reasoning about only one realm when the gap is in the other.

When two answers both work, the exam rewards the one that grants less

Least privilege is the instinct that ties both realms together: give every subject the minimum access its task needs and nothing more, so that a stolen badge or a phished account inherits only a few permissions instead of the keys to everything. The same instinct shows up physically as need-to-know zoning (sensitive equipment in the interior core, each step inward demanding stronger justification) and logically as withholding any permission a job does not require. So when a question offers one answer that opens a door wide for convenience and another that opens it just enough, prefer the narrower one. Two related defaults travel with it: separate sensitive duties so no one person can finish a critical task alone, and prefer controls that admit and log one identified person at a time (a card or biometric over a shared key, a vestibule or full-height turnstile over an honor system) so every entry is both limited and accountable.

Two realms, one question (who may reach what), and where each is taught

RealmProtectsDecides access byLayered asDrill into
PhysicalBuildings, equipment, and the people insideA credential at a door (key, lock, card, biometric) plus guards, cameras, and site designThe deter, deny, detect, delay, respond chainPhysical Access Controls
LogicalSystems, applications, and dataA software rule matching subject to object, set by a model (DAC / MAC / RBAC)Least privilege and separation of duties applied on top of the modelLogical Access Controls

Subtopics in this domain