© itt educational services, inc. all rights reserved.page 1 is3230 access security © itt...

© ITT Educational Services, Inc. All rights reserved.IS3230 Access Security © ITT Educational Services, Inc. All rights reserved.

IS3230 Access Security

Unit 4

Developing Access Control Policy Framework

© ITT Educational Services, Inc. All rights reserved.IS3230 Access Security

Class Agenda 10/8/15

Learning Objectives Lesson Presentation and Discussions. Discussion of class project Lab Activities will be performed in class.. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: Submit all Assignment and labs due

today.


Learning Objective and Key ConceptsLearning Objective Develop an access control policy framework consisting of

best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.

Key Concepts Regulatory laws concerning unauthorized access Security breaches Organization-wide authorization and access policy Access control and data classification policies


Regulatory laws concerning unauthorized accessRegulators have created a large and

growing set of regulations and frameworks aimed at enforcing protection of information, privacy, and transparency of information.

For example, HIPAA for healthcare, GLBA for financial services, and Sarbanes-Oxley for public companies.


Motivation

Congress to passed Sarbanes-Oxley Act of 2002 (SOX)

To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities law.

All of these systems employ relational databases, and these projects include database security and auditing implementations.


Gramm-Leach-Bliley Act (GLBA)

Also called Financial Services Modernization Act or Citigroup Relief Act.

Defines various requirements designed to protect the privacy of customers financial institution.


Gramm-Leach-Bliley Act (GLBA)

Ensure the security and privacy of customer information

Protect against threats to the security and integrity of customer information

Protect against unauthorized access and/or usage of this information that could result in harm or inconvenience to the customer


Sarbanes-Oxley Act of 2002 (SOX or SarBox)

SOA addresses many areas that affect the accuracy and transparency of financial reporting.

To enforces accountability for financial record keeping and reporting at publicly traded corporations



IT people focus on Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting.



It requires management’s development and monitoring of procedures and controls for making assertions about the Adequacy of internal controls over financial reporting.

It is management’s responsibility and can not be delegated or abdicated. Document and evaluate the design and operation of its internal control.


Health Insurance Portability and Accountability Act of 1996 (HIPAA)Objective• Guarantee health insurance coverage of

employees• Reduce health care fraud and abuse• Protect the health information of

individuals against access without consent or authorization


Access Control Policy Framework Identifies the importance of

protecting assets and leading practices to achieve protection

Beneficial for documenting management understanding and commitment to asset protection


Policy Mapping

13

Functional Policies

Procedures Standards Guidelines Baselines

Laws, Regulations, Requirements, Organizational Goals, Objectives

General Organizational Policies


Policies

Policies are statements of management intentions and goals

Senior Management support and approval is vital to success

General, high-level objectives Acceptable use, internet access, logging,

information security, etc

14


Procedures

Procedures are detailed steps to perform a specific task

Usually required by policy Decommissioning resources, adding user

accounts, deleting user accounts, change management, etc

15


Standards

Standards specify the use of specific technologies in a uniform manner

Requires uniformity throughout the organization Operating systems, applications, server tools,

router configurations, etc

16


Guidelines

Guidelines are recommended methods for performing a task

Recommended, but not required Malware cleanup, spyware removal, data

conversion, sanitization, etc

17


Baselines

Baselines are similar to standards but account for differences in technologies and versions from different vendors

Operating system security baselines• FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat

Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc

18


Access Control Policies Explicitly state responsibilities and

accountabilities for achieving the framework principles

Establish and embed management’s commitment

Authorize the expenditure of resources Inform those who need to know Provide later documents for consultation

to verify achievement of objectives


Access Control Procedures and GuidelinesProcedures:Tell how to do somethingStep-by-step means to accomplish a taskBecome “knowledge” transfer


Access Control Procedures and Guidelines (Continued)Guidelines:Are generally accepted practicesNot mandatory Allow implementation May achieve objective through alternate

means


Password Management ControlsLog accesses and monitor activitiesValidation programsEnforce password changes at reasonable

intervalsExpiry policy to lock accounts after a

period of nonuse


Password Management Controls (Continued)Audit logs to review for successful and

failed attemptsPassword policyPrivacy policy


Password Control IssuesUsers:

• Choose easy to guess passwords• Share passwords• Often forget passwordsPassword vulnerable to hacker attacks


Discussion on Security Breaches


Access Control Failures

People: insiders and outsiders.

Technology


Access Control PrinciplesMinimal privilege or exposureRegular monitoring of access privilegesNeed to know basis for allowing access Physical, logical, and integrated access

controlsMonitor logs and correlate events across

systems


Layered Security and Defense-in-Depth Mechanisms

Need to Know

Physical RBAC

MACLeast

Privilege

Layered Security

Defense-in-DepthSecurity

Firewalls

Intrusion Prevention System

(IPS)/Intrusion Detection

System (IDS)

Operating System (OS)


Type of Threat Organizations Reporting Issue

Misuse of Portable Storage 57 %

Software Downloading 56 %

Peer to Peer (P2P) File Sharing

54 %

Remote Access Programs 53 %

Rogue Wireless Fidelity (Wi-Fi) Access Points

48 %

Rogue Modems 47 %

Prevalent Insider Threats



Media Downloading 40 %

Personal Digital Assistants (PDAs)

40 %

Unauthorized Blogging 25 %

Personal Instant Message (IM) Accounts

24 %


Prevalent Insider Threats (Continued)

By Edward Cone on 2009-03-25: The survey included 100 IT security professionals and executives




Software Downloading 56 %

Peer to Peer (P2P) File Sharing 54 %

Remote Access Programs 53 %

Rogue Wireless Fidelity (Wi-Fi) Access Points

48 %

Prevalent Insider Threats



Rogue Modems 47 %

Media Downloading 40 %

Personal Digital Assistants (PDAs)

40 %

Unauthorized Blogging 25 %

Personal Instant Message (IM) Accounts

24 %


Prevalent Insider Threats (Continued)


What functions do the users perform?Are any of the functions incompatible?Do some of the functions cause conflicts

of duties?How will conflicting duties or functions be

evaluated and reviewed? How will separation of duties be reviewed

and approved?

How Much Access will the User Need?


What internal controls, administrative, technical, and operational, are in place?

Who will review the controls and how often?Will information be shared internally,

externally, or both? Is approval required before sharing data

externally? Is a data classification policy in place?

How Much Access will the User Need? (Continued)


Contract strategic partner and legal requirements

Authentication methods, data classification, and data storage and recovery

Means of sharing dataMonitor access and violationsService level agreements

Third Party Considerations


Security Awareness Training FactsInformation technology (IT) security surveys conducted by well-known accounting firms found the following: Many organizations have some awareness

training. Most awareness programs omitted important

elements. Less than 25% of organizations had no way

to track awareness program effectiveness. Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx


Class ProjectResearch and write 3 pages Access

security policy for a organization.Use the appropriate research writing style

recommended by the SchoolSubmit your research outline in the next

class.


Lab Activities

Lab # 4: Identify and Classify Data for Access Control Equipment.

Complete the lab activities and submit the answers to the next class.


Unit 4 Assignments

Complete Chapter 4 Assessment-Page 95 and 96

Question 1 to 12 Print and Submit in the next class.

Reading assignment: Read Chapters 5 before the next class.

© itt educational services, inc. all rights reserved.page 1 is3230 access security © itt...

Documents