The policies, processes, and controls that manage who (or what) can access systems and data, and what actions they are authorized to perform.