Assignment (LK10)
Applying the Security Policy Framework to an Access Control Environment (3e) Access Control and Identity Management, Third Edition - Lab 10
Student: Email:
HARSHAVARDHAN POCHARAM hpocharam@ucumberlands.edu
Time on Task: Progress:
100%
Report Generated: Sunday, June 20, 2021 at 9:45 AM
Guided Exercises
Part 1: Evaluate a Security Policy
2. Evaluate the policy document against the NIST best practices summarized above. Identify by number which, if any, of the eight best practices the policy satisfies. For each practice that you identify, provide a reference to the statement in the policy that aligns with that best practice.
In line with relevant policy, the information system enforces permitted authorizations for regulating the flow of information inside the system and between interconnected systems. Information flow control governs where information is permitted to move inside and across information systems (rather than who is authorised to access the information), with no consideration for later accesses to that information. The following are a few instances of flow control restrictions: preventing export-controlled data from being sent over the Internet in clear text, blocking outside traffic posing as internal traffic, and not forwarding any web requests to the Internet that are not from the internal web proxy.
3. Suggest how you would revise the policy to directly align with the standards. Provide specific statements that you would add/modify in the policy.
An access control policy for the assets in scope must be created, recorded, and evaluated on a regular basis, taking into consideration the business's needs. The information security risks around the information, as well as the organization's appetite for managing them, should be reflected in the access control rules, rights, and limitations, as well as the level of the controls utilised. Simply said, access control refers to who needs to know, who needs to utilise, and how much access they have. Permission limits on user accounts, as well as restrictions on who may access particular physical areas, are examples of access controls that can be both digital and physical in origin. • Clarify who needs to access, know, and use the information – backed by written processes and responsibilities; • Take into consideration the security requirements of business applications and link them with the information categorization system in use according to Asset Management; • Access control rules should be backed by formal processes and specified duties, as well as adding, in-life modifications. Changes in roles, in particular during exits, need a review of access control
Page 1 of 4
Applying the Security Policy Framework to an Access Control Environment (3e) Access Control and Identity Management, Third Edition - Lab 10
4. Describe whether this document is best titled as a policy or whether it would be better described using another element of the policy framework.
This document is best titled as a policy since policy aids in the achievement of the enterprise's objectives and provides just a general framework, leaving interpretation to subordinates so that their initiative is not impeded.
Part 2: Review a Security Configuration Standard
3. Describe the process that the Center uses to ensure that its standards represent the consensus of the cybersecurity community.
The purpose of access control is to reduce the danger of unauthorised access to physical and logical systems posing a security risk. Access control is a critical component of security compliance programmes because it guarantees that security technology and access control rules are in place to safeguard sensitive data, such as customer information. Entry to networks, computer systems, apps, files, and important information, such as personally identifiable information (PII) and intellectual property, is usually limited by infrastructure and processes in most companies. Access control rules ensure that users are who they say they are and have proper access to corporate data through authentication and authorisation.
5. Identify the section of the recommendations that achieves this goal.
One of the most basic IT controls for ensuring system security and data integrity is system access restrictions. When it comes to implementing effective system access restrictions, there are several factors to consider. Access control verifies multiple login credentials, such as user names and passwords, PINs, biometric scans, and cryptographic keys, to identify users. Multifactor authentication, a mechanism that needs several authentication methods to authenticate a user's identity, is included in many access control systems. The restriction of access is a crucial component of IT security. It's also worth remembering that protection isn't just dependent on technology, but also on human conduct. Policies, education, and communication are critical, and successful implementation of effective access controls requires strong management support
Page 2 of 4
Applying the Security Policy Framework to an Access Control Environment (3e) Access Control and Identity Management, Third Edition - Lab 10
7. For each of the five best practices in the previous step, classify the practice as:
Satisfied (indicate recommendation number that achieves the best practice) Violated (indicate recommendation number that violates the best practice) Not addressed
satisfied: recommendation number 1,2 Violated: recommendation number 3,4 Not addressed: recommendation number 5
Page 3 of 4
Applying the Security Policy Framework to an Access Control Environment (3e) Access Control and Identity Management, Third Edition - Lab 10
Challenge Exercise
Select three specific statements included in the standard that you drew from your own experience that are covered by the industry best practice document that you selected. For each of these three statements:
Identify the section of your standard.
Identify the section of the industry best practices that covers the same topic.
Identify whether the standard you selected satisfies or violates the industry best practice.
Provide a rationale for your conclusion.
* Logging onto university information technology resources, such as servers, printers, routers, or computers, from a distant location is only possible via secure, authorised, and centrally controlled access methods. Furthermore, only secure, authenticated, and centrally controlled access methods are authorised to access university information that may be extremely sensitive or restricted. * An identity and access management system helps automate the onboarding process, ensuring that employees begin with the appropriate rights. This relieves your IT team of the effort of onboarding each new employee. Furthermore, it reduces the time it takes to onboard a new employee from months to hours. Furthermore, automated onboarding pushes your IT staff to identify which rights are required for each job, enhancing your identity governance capabilities. * The standard I chose complies with industry best practises. * Enforcing best practises for identity and access management helps you to know who has access to sensitive information and under what situations. Identity and Access Management is a crucial and beneficial technique for safeguarding company data and systems. It may ensure that only authenticated and authorised people have access to the systems and data they need to do their jobs if it is correctly built and used.
Powered by TCPDF (www.tcpdf.org)
Page 4 of 4