cmgt400 intro to information assurance and security (university of phoenix)
DESCRIPTION
CMGT400 Intro to Information Assurance and Security (University of Phoenix). Lecture, Week 3 Tom Olzak, MBA, CISSP. Access Control. Mandatory Access Control (MAC) – Administrators tag data and users. An access control solution restricts access according to tags. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/1.jpg)
CMGT400Intro to Information
Assurance and Security
(University of Phoenix)
Lecture, Week 3Tom Olzak, MBA, CISSP
![Page 2: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/2.jpg)
Access Control Mandatory Access Control (MAC) – Administrators
tag data and users. An access control solution restricts access according to tags.
Discretionary Access Control (DAC) – Users set and manage security on the information they create, or administrators set access control user-by-user.
Role-based Access Control (RBAC) – The business creates roles based on business processes, separation of duties, least privilege, and need-to-know. Roles are assigned rights and permissions. Users are assigned to roles.
![Page 3: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/3.jpg)
MAC
![Page 4: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/4.jpg)
RBAC
![Page 5: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/5.jpg)
Standards of Best Practice
COBIT (Control Objectives for Information and Related Technology)
https://www.isaca.org/Pages/default.aspx
ISO/IEC 27002:2005 (Information Technology – Code of Practice for Information Security Management
http://www.27000.org/iso-27002.htm
ITIL (Information Technology Infrastructure Library)
http://www.itil-officialsite.com/
NIST CSRC – (National Institute of Standards and Technology, Computer Security Resource Center)
http://csrc.nist.gov/publications/PubsSPs.html
![Page 6: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/6.jpg)
Firewalls Block everything, and then open only the
port/IP address pairs absolutely required to conduct business
Maintain up-to-date firewall operating systems
Use internally and at the perimeter
Network and host
![Page 7: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/7.jpg)
IPS/IDS IPS (Intrusion Prevention System)
Detects anomalous packets and network behavior
Alerts or blocks traffic based on administrator defined rules
Placed in line with traffic
IDS (Intrusion Detection System)
Detects anomalous packets and network behavior
Alerts based on administrator defined rules
Placed out-of-band
Tuning Required
![Page 8: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/8.jpg)
IPS/IDS Example
![Page 9: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/9.jpg)
Business Continuity Planning
Purpose: Enable quick response to business continuity events so critical business process downtime does not exceed maximum tolerable downtime (MTD)
Business continuity event: Any condition, or set of conditions, that interrupts one or more business processes.
Disaster recovery: Restoring business processes following a catastrophic business continuity event.
Plan for worst case scenarios
![Page 10: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/10.jpg)
Backups Necessary for disaster recovery
Three types:
Full – Everything backed up
Incremental – Backs up everything that changed since the last backup of any kind
Differential – Backs up everything that changed since the last full backup
Off-site storage necessary
Media types
Tape
Disk
Cloud
Co-location
![Page 11: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/11.jpg)
Aggregate Risk
![Page 12: CMGT400 Intro to Information Assurance and Security (University of Phoenix)](https://reader034.vdocuments.net/reader034/viewer/2022051622/56814eef550346895dbc7e26/html5/thumbnails/12.jpg)
And again…
Be sure to read ALL assigned reading. Your success in this class depends on it.