Instructions attached.
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
Introduction
No access control system is perfect. The reality of operating any complex technical system is that it
will always have deficiencies that could risk the organization. In the grander scheme of things, those
risks are just a few of the many risks that the organization balances on a daily basis. Risk
assessments provide a mechanism for organizations to identify and evaluate risks they face and
develop a prioritized list of actions they may take to reduce those risks to an acceptable level.
Cybersecurity professionals often find themselves responsible for conducting risk assessments using
industry standards. These standards may come as sets of best practices from industry organizations
or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security
professionals conducting assessments against these standards will normally review the standard and
compare it with the security controls currently in place. This produces a gap analysis that identifies
areas in which the organization deviates from the requirement. Security professionals then develop a
prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very
important to prioritize that list, as there are often far too many risks to address all of them and the
organization should spend its limited resources addressing those that pose the most significant risk.
When encountering risks, organizations have four different options for handling the risk:
Risk mitigation includes activities designed to reduce the likelihood or impact of a risk.
Risk avoidance changes business practices to render a risk irrelevant.
Risk transference moves the impact of the risk to another organization.
Risk acceptance decides to continue operations as normal despite the risk.
In this lab, you will learn about the risk assessment process for access control systems. After
reviewing the requirements of two regulatory standards covering access control systems, you will
review a scenario and conduct a risk assessment of the access control system in that scenario. You
will then design a set of remediation activities that would address those risks.
Lab Overview
This lab has two parts, which should be completed in the order specified.
1. In the first part of the lab, you will explore two different risk-assessment models that may be
applied to access control systems.
Page 1 of 7
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
2. In the second part of the lab, you will apply one of those models to conduct a compliance risk
assessment of an access control system. You will then identify actions that you can take to
remediate any deficiencies identified during your risk assessment.
Finally, if assigned by your instructor, you will complete a series of challenge exercises that allow you
to use the skills you learned in the lab to conduct independent, unguided work – similar to what you will
encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Explain the risk assessment process.
2. Describe the differences between the levels of specification in the Payment Card Industry Data
Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule.
3. Given a scenario, identify risks in an access control system.
4. Given a scenario, design remediation activities to mitigate risks.
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
Comparison of the PCI DSS and HIPAA access control requirements
Listing of five control gaps
Listing of five remediation strategies
Challenge Exercise (if assigned)
Page 2 of 7
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
Guided Exercises
Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab
to produce the expected deliverable(s).
1. Review the Common Lab Tasks for Theory Labs document.
Frequently performed tasks, such as recording your answers and downloading your Lab
Report, are explained in the Common Lab Tasks for Theory Labs document. You should
review these tasks before starting the lab.
2. Proceed with Part 1.
Part 1: Research Risk Assessment Standards
Note: In this part of the lab, you will review the access control requirements created by two different
regulatory standards. The Payment Card Industry Data Security Standard (PCI DSS) is a self-
regulatory standard imposed upon all businesses involved in the processing of credit card
transactions. It contains over 10 pages of detailed requirements for access control systems. The
HIPAA Security Rule is a higher-level standard that provides implementation guidance for securing
systems that process electronic protected health information.
1. In your browser, navigate to https://www.pcisecuritystandards.org/ and retrieve a copy of
the current version of the Payment Card Industry Data Security Standard (PCI DSS) from the
website’s document library.
PCI DSS is a regulatory framework for organizations involved in the storage, processing, and
transmission of credit card information. The standard is quite lengthy and covers many aspects
of cybersecurity. The 12 major requirements in this standard are often described as the
“Digital Dozen” of credit card security.
2. Review the “Implement Strong Access Control Measures” section of the PCI DSS document.
This section includes three requirements, each of which has several pages of detail:
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Page 3 of 7
https://jbl-lti.hatsize.com/uploads/Common-Lab-Tasks-for-Theory-Labs
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
Requirement 9: Restrict physical access to cardholder data.
3. In your browser, navigate to
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-
simplification-201303 and review Section 164.312 of the HIPAA Security Rule on pages
66-67.
This section provides the technical safeguards required for operating a HIPAA-compliant
system, including the standards for access control.
4. Compare the requirements for access control systems in the PCI DSS to those in the HIPAA
Security Rule. Describe the level of detail found in each standard and how each standard
might be easier and more challenging to meet compared with the other.
Part 2: Conduct a Risk Assessment
Note: In this part of the lab, you will review an access control system against the PCI DSS risk
assessment framework. Your task is to identify any gaps that might exist between the existing system
and the requirements in the standard.
You are the security administrator for Ricky’s Fried Chicken, a franchised fried chicken restaurant.
The restaurant accepts credit cards and, as such, is subject to the provisions of PCI DSS. You are
conducting a risk assessment of the point-of-sale (POS) system used by the chain against the access
control provisions of PCI DSS.
The POS uses the architecture shown below:
Page 4 of 7
Highlight
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
POS Architecture
The links between the data center and the stores are all over strongly encrypted VPN connections.
Currently, each cashier has the ability to log on to the POS system at any store. Managers have the
ability to log on to the POS systems, as well as the back-end servers. Cashiers use generic
“cashier1,” “cashier2,” and “cashier3” accounts while managers each have personal accounts.
All users log on using a strong password. The organization has the following password requirements:
Passwords must be at least eight characters long and must be changed every 180 days.
Users are locked out for one hour after 10 unsuccessful login attempts.
Users are logged out after 10 minutes of inactivity.
The organization has written cardholder security policies and managers and IT staff review them on an
annual basis, signing logs to document their review. IT staff conduct a semiannual review to remove
Page 5 of 7
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
the accounts of any managers who have left the organization.
1. Conduct a risk analysis of this environment using the version of PCI DSS that you downloaded
in Part 1 of this lab. Document at least five control gaps that exist in the environment. You
may make assumptions about information not provided in this scenario, if necessary.
2. Identify controls that will mitigate each of the five deficiencies you identified in the previous
step. Create a prioritized list of these actions.
Page 6 of 7
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition – Lab 02
Challenge Exercise
Note: The following exercise is provided to allow independent, unguided work – similar to what you will
encounter in a real situation.
For this part of the lab, you should consider a technology system that you are familiar with from either
your employment, academic institution, and/or personal life. Answer the following questions for the
system:
1. What risk assessment standard would be the best approach for evaluating this system?
Depending on the system, you may use one of the standards already discussed in this lab or
identify an alternative standard more appropriate for your environment. Provide a brief
description of the system, identify the standard that you used and describe why it is
appropriate for the system.
2. Conduct a risk assessment of the system against those standards to the best of your ability. If
you are not familiar with the detailed workings of the systems, you may make assumptions to
facilitate your risk assessment. Create a list of the gaps that exist between the system and the
standard you used.
3. Develop a prioritized list of risk mitigation activities which, if followed, would address the
issues raised in your gap analysis from step 2.
Powered by TCPDF (www.tcpdf.org)
Page 7 of 7
http://www.tcpdf.org
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
