Dictionary · NIST SP 800-33

A security policy based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access.

The security engineering term for IT functionality that— 1) controls all access, 2) cannot be bypassed, 3) is tamper-resistant, and 4) provides confidence that the other three items are true.

The remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat.

A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access.