Discussion Board

What are the factors that influence the selection of access control software and/ or hardware? Discuss all aspects of access control systems.

DQ requirement: Note that the requirement is to post your initial response no later than Thursday and you must post one additional post during the week (Sunday). I recommend your initial posting to be between 200-to-300 words. The replies to fellow students and to the professor should range between 100-to-150 words. All initial posts must contain a properly formatted in-text citation and scholarly reference.

Don't use plagiarized sources. Get Your Custom Essay on
Discussion Board
Just from $13/Page
Order Essay

Access Control, Authentication, and Public Key Infrastructure

Chapter 3

Business Drivers for Access Controls

© 20

1

5 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
1

Data or Information Assets

An intangible asset with no form or substance:

Paper records

Electronic media

Intellectual property stored in people’s heads

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2

Importance of Policy and Senior Management Role
Organizations value intellectual property
Must control access to information to ensure survival
Protecting confidential information involves:
Technical controls
Clear policies and sound business processes that implement those policies
Access control policies are effective only with support of senior executives

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

3

Classification Schemes
Classification scheme is a method of organizing sensitive information into access levels
Only a person with the approved level of access is allowed to view information
This access is called clearance
Every organization has its own method of determining clearance levels

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

4

National Security Classification
Unclassified
Confidential
Secret
Top Secret
Corporations
Public
Internal
Sensitive
Highly sensitive

Classification Schemes (Cont.)

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

5

In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.

Classified as Public
For use by defined category within job role

Sensitivity-Based Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

6

Need to know
Requester should not receive access just because of his or her clearance, position, or rank
Requester must establish a valid need to see information
Access should be granted only if information is vital for requester’s official duties
Least privilege
A computer user or program should have only the access needed to carry out its job

Need to Know and Least Privilege

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7

Declassification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

8

Automatic

Systematic

Mandatory declassification review

Freedom of Information Act request

Business Drivers for Access Control

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

9

Cost-benefit analysis

Risk assessment

Business facilitation

Cost containment

Operational efficiency

IT risk management

Electronic Records

United Nations Electronic Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

10

The Life Cycle of an Order

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
11
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
11

Controlling Access and Protecting Value
Importance of internal access controls
Importance of external access controls
Implementation of access controls with respect to contractors, vendors, and third parties

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

12

Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required

Physical Security of Sensitive Information

Can/Should this information be shared?
Secure storage and limited access

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

13

Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.

.

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
14

Data Destruction (Continued)

.

Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
15

Manage the Identity and Access Provisioning Life Cycle

16

Module Topic
Access Control and Identity Management Life Cycle

‹#›

17

Access Control and Identity Management Life Cycle

‹#›

18
Provisioning

Review

Revocation

Provisioning

‹#›

19

Provisioning entails determining the organizational requirements for access to information, and applies the appropriate access rights

Review

‹#›

20

Access rights and usage must be monitored on a basis commensurate with risk

Reviewing access can take the form of automated checks, manual audits, and several other methods

Revocation

‹#›

21

Through access review, revocation typically is invoked when a user has aggregated unnecessary access, or access is not commensurate with the role of the user

Calculator

Calculate the price of your paper

Total price:$26
Our features

We've got everything to become your favourite writing service

Need a better grade?
We've got you covered.

Order your paper