# Access Control to Data Assets One-sentence definition: Enforcing least privilege and need-to-know through role design, approvals, and periodic reviews. ## Key Facts - Map roles to data classifications and duties (SoD). - Use JML (Joiner/Mover/Leaver) workflows with owner approvals. - Enforce MFA, context policies, and session controls for sensitive data. - Periodic access recertification by data owners. - Log and monitor access; alert on anomalies (UEBA). - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Determine missing control in access lifecycle scenarios. **Mnemonic:** “Right person, right data, right time.” ## Mini Scenario Q: Contractors keep access post-project—what control fixes? A: Automated leaver process + periodic recertification. ## Revision Checklist - Define SoD and JML. - Name 3 enforcement controls. - Identify owner’s role in reviews. ## Related [[Information and Asset Ownership]] · [[Data Classification Levels and Handling Rules]] · [[Endpoint Data Protections (FDE, EDR, Port Controls)]] · [[Data Loss Prevention (DLP)]] · [[CASB and SSPM/CSPM Overview]] · [[Domain 2 - Index]]