Sign In

Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.

Forgot Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

You must login to ask question.

Please briefly explain why you feel this question should be reported.

Please briefly explain why you feel this answer should be reported.

Please briefly explain why you feel this user should be reported.

Discussion: Mapping Business Challenges to Types of Control

Mapping Business Challenges to Types of Control
The goal of any access control system is not simply to keep people out, or to organize who has access to
a particular resource, but to meet a business need. In this exercise, you will identify the impact to the
business caused by this challenge, and then determine an appropriate access control for mitigating that
business impact.
Complete the table below:
Business
Challenge
Business Impact
Mitigation Technique
Disaster
Prevention
Disaster Recovery
Customer Access
to Data
Maintain
Competitive
Advantage
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
http://www.jblearning.com
Page 1
Access Control, Authentication,
and Public Key Infrastructure
Lesson 4
Human Nature and Organizational
Behavior
Access Control for Information Systems
IS404 Access Control, Authentication and PKI (PKI)
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
© ITT Educational Services, Inc. All rights reserved.
Page 1
All rights reserved.
Dealing with Human Nature
The unintentional threat
Hackers and motivation
Social engineering
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 2
Pre-Employment Checks
What Information
Can Be Considered
Consequences of a
Bad Hiring Decision
What Information
Cannot be
Considered
Applicant’s Rights
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 3
Ongoing Observation of
Personnel
Identify Potentially Disgruntled
Employees
Proper Ways to Revoke Access
upon Employee Termination
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 4
Organizational Structure and
Access Control Strategy
 Access control model based on organizational
structure is designed to prevent social
engineering attacks
 Employees are given access based on tasks they
must complete as part of their job
 Access rules are based on balance of
confidentiality and necessity
 Organizational structure model is similar to the
role-based access control (RBAC) model
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 5
Job Rotation and Position
Sensitivity
 Job rotation minimizes effects of dishonesty
 Often used for sensitive positions, especially
those that are directly responsible for crucial
information and assets
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 6
Requirement for Periodic
Vacation
 Periodic vacations act as a security measure
 Requiring person to take time off from work
provides time for evidence of dishonesty to
surface
 Can also reduce the success of social engineers
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 7
Separation of Duties
 Ensures that a single person does not handle all
crucial decisions and activities, especially those
involving a high level of trust
 Goal is to avoid the temptation to commit fraud or
other illegal activities
Two-person
control
Access Control, Authentication, and PKI
Collusion
Monitoring
and
oversight
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 8
Responsibilities of Access
Owners
 Disclosing to users any relevant legal,
regulatory, or ethical issues surrounding the
use or disclosure of the information
 Implementing a data classification system
and rating the data according to its sensitivity,
confidentiality, inherent value, and other
factors
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 9
Responsibilities of Access
Owners (Cont.)
 Maintaining a list of authorized users
 Implementing procedures to safeguard
information from unauthorized use,
disclosure, alteration, or accidental or
intentional destruction
 Developing a policy governing data retention
and disposition
 • Providing users with adequate training in the
use and protection of the information
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 10
Training Employees
Be ongoing
Include multiple formats
Be interactive
Include multiple points of contact
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 11
Security Awareness Training
Facts
Information technology (IT) security surveys
conducted by well-known accounting firms found
the following:
 Many organizations have some awareness
training.
 Most awareness programs omitted important
elements.
 Less than 25% of organizations had no way to
track awareness program effectiveness.
Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 12
Ethics
What is right and what is
wrong
Enforcing policies
Human resources
involvement
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 13
Best Practices for Managing
Human Nature
 Defining appropriate policies and procedures
governing employee behavior
 Educating employees about the policies and
procedures relevant to them
 Discovering and addressing behavioral
shortcomings
 Encouraging create risk-taking
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 14
User Domain Access Control
Management
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 15
The Three States of Data
Data at Rest
(DAR)
• Stored on some device
• Archived records
Data in Motion • Sending an e-mail
• Retrieving a Web page
(DIM)
• Creating a new document
Data in Process • Processing a payment
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 16
Protecting DAR
 Use encryption to protect stored data:
• Elements in databases
• Files on network and shared drives
• Files on portable or movable drives,
Universal serial bus (USB), and flash drives
• Files and shared drives accessible from the
Internet
• Personal computers (PCs), laptop hard
drives, and full disk encryption
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 17
DIM
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 18
Protecting DIP
Difficult to protect since it is being operated
on by the central processing unit (CPU)
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 19
Object-Level Security
 Object: An item or a distinct group of
information in a data storage system
 Group information as an object, set controls
at the object level
 Allows you to manage groups of related
data
 Helps with DAR and DIM security
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 20
Access Control List Properties
 A security identifier (SID) that identifies
what the ACE applies to—the specific user,
group or system
 An access mask that lists the specific rights
granted or denied
 Flags to indicate the type of ACE and
whether child objects can inherit the rights
from the object that the ACE is attached to
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 21
Access Control List Types
access-denied
access-allowed
system-audit
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 22
DACL and SACL
Discretionary
Access Control
List (DACL)
• Controls access to an
object
System Access
Control List
(SACL)
• Handles the information
assurance aspect of
access controls
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 23
Best Practices for Access
Controls for Information Systems
 Create a baseline for access
 Segregate users’ rights by role
 Automate user creation
 Tie access controls to the environment
 Have a clear standard for decommissioning
data storage devices
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
http://www.jblearning.com
All rights reserved.
Page 24

Purchase answer to see full
attachment

aalan

Leave a comment