Authentication: Before a user can access I.T. systems and data, their identity must be assessed before access is granted.
Authorization: Only authenticated users with permission to access a resource must be allowed access. Permissions must be given to a user on a need-to basis.
Auditing: Information about all users’ activities must be collected and stored in log files. These log files can later be analyzed for violations of authentication and authorization policies.