access control
CHAPTER 2
Business Drivers for Access Controls
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective and Key Concepts
Analyze how an information classification standard impacts an IT infrastructure’s access control requirements and implementation.
Business requirements for asset protection
Classification of information
Business drivers for access control
Privacy and privacy laws
Learning Objective
Key Concepts
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business Requirements for Asset Protection
Protect business assets
Inventory and raw materials are kept secure to avoid theft of damage
Information assets must be kept secure to avoid compromise
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Importance of Policy and Senior Management Role
Organizations value intellectual property
Must control access to information to ensure survival
Protecting confidential information involves:
Technical controls
Clear policies and sound business processes that implement those policies
Access control policies are effective only with support of senior executives
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Classification of Information
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Information classification
The process of assigning information to different categories based on sensitivity
Sensitive information
Classifying sensitive information limits its availability outside of the organization
Classification Schemes
Classification scheme is a method of organizing sensitive information into access levels
Only a person with the approved level of access is allowed to view information, referred to as clearance
Every organization has its own method of determining clearance levels
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Need to Know and Least Privilege
Need to know
Requester should not receive access just because of his or her clearance, position, or rank
Requester must establish a valid need to see information
Access should be granted only if information is vital for requester’s official duties
Least privilege
A computer user or program should have only the access needed to carry out its job
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
National Security Classification
US government classifies sensitive information into four categories based on degree of damage to national security if disclosed
The Freedom of Information Act (FOIA) requires the federal government to disclose records to citizens or organizations that request them. Classified information is exempt from such requests.
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Unclassified
Confidential
Secret
Top Secret
Corporations
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Public
Internal
Sensitive
Highly sensitive
Non-public information but may be released without damaging company
Information that could cause serious damage to the company if disclosed
Information that is extremely damaging to the company if disclosed
Information that is freely released to the public
Reasons for Classification
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Damage to the organization if disclosed
Maintain competitive advantage
Protect trade secrets
Protect national security
Declassification
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Automatic
Systematic
Mandatory declassification review
Freedom of Information Act (FOIA request)
Personally Identifiable Information (PII)
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Privacy Act Information
Privacy Act of 1974
Collection, maintenance and dissemination of PII inside the federal government
Social Security numbers, education, and medical, criminal and employment history
May not be disclosed without written consent
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
EXCEPTIONS
US Census
Law enforcement
Other administrative purposes
Bureau of Labor Statistics
Congressional investigation
Historically significant documents
Privacy Controls Catalog
National Institute for Standards and Technology (NIST) Special Publication 800-53 (SP 800-53), Appendix J, Privacy Controls
Authority and purpose
Authority to collect PII
Is the purpose of collection clearly stated
Accountability, audit, and risk management
Implementation of privacy governance, privacy requirements, and support structures
Data and quality integrity
Ensure quality and integrity of PII collected is maintained
Data minimization and retention
Retain only minimum amount of information necessary to carry out stated purpose
Destroy data collected when it is no longer required
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Competitive Use of Information
Information about competitor or its products provide competitive advantage
Lure customers away
Use contractual information to craft more competitive offers and bids
Vital to keep information secret, like formulas and recipes
Information about Competitor
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Valuation of Information
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Strategic importance
Tactical important
Impact to business
Information as a Competitive Advantage
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Information
Allows firms to differentiate themselves from competitors
Security
Competitive advantage
Paramount to a company’s success
Loss
Leads to decrease in market share and reduced profits
Penalties for Improper Disclosure
| Description | Penalty |
| Unknowingly disclosed | $100 per violation or record affected |
| Reasonable cause to disclose | $1,000 per violation or record affected |
| Disclosure due to willful negligence situation that is corrected | $10,000 per violation or record affected |
| Disclosure due to willful negligence that is not corrected | $50,000 per violation or record affected |
| Disclosure due to criminal intent | Up to $250,000 and 10 years in jail |
Penalties for disclosing medical/patient information in violation of the Health Insurance Portability and Accountability Act (HIPAA)
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business Drivers for Access Control
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cost-benefit analysis
Risk assessment
Business facilitation
Cost containment
Operational efficiency
IT risk management
Cost-Benefit Analysis
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cost-benefit analysis
A list of pros and cons to help businesses make decisions
Advantage gained from keeping the information secret
Risks avoided by controlling access to the information
Advantage Gained
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Advantages
Is there an advantage to securing information?
Will competitors gain an advantage if they have access to the information?
Is the information already secret?
Risks Avoided
Penalties for allowing sensitive information to be disclosed
Fines, jail time
Undercut by competition
Every organization should know what information it possesses and how important that information is in terms of access control
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Risk Assessment
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Prioritized list of threats
and vulnerabilities
Inventory of assets, including sensitive information
Business Facilitation
Information is the backbone of many business processes
Manufacturing: Inventory and order numbers determine assembly line productivity
Finance: Changing stock prices dictate buy and sell decisions
Controlling access to information is critical for facilitating the day-to-day operations of a business
Operating systems implement access rights by giving users read, write, and execute privileges
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Levels
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Access Levels
No access
Read access
Read-write access
The Life Cycle of an Order
FIGURE 2-1 Access to information through the life cycle of an order.
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cost Containment
What is the cost to a company if a given piece of information is released to the public?
There may be monetary fines for releasing information
The cost to the company would be measured in terms of a competitive advantage or lost productivity
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Accidental Dissemination of Electronic Information
FIGURE 2-2 Accidental dissemination of electronic information to unintended recipients.
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Operational Efficiency
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Information
Too much
Wrong
Operational efficiency
Right Info
Right people
Right time
The Right Information, The Right Time, The Right People
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The right information
Must have access to the right information necessary to do the job
The right people
Productivity can be impacted if the wrong people have access to information or if too many people are brought into the decision-making process
The right time
The right person must receive information at the right time or productivity and efficiency are impacted
IT Risk Management (1 of 2)
REPORT CONTENTS
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Full asset inventory
Vulnerability assessment
Threat assessment
Mitigation plans
Risk assessment policies
IT Risk Management (2 of 2)
Full asset inventory
Contains a list with the location of every major resource within the IT infrastructure
Vulnerability assessment
Examines the weaknesses of the system
Threat assessment
Examines the potential of the weaknesses within the system to be exploited
Mitigation plans
Plans for mitigating vulnerabilities and risks
Risk assessment policies
Describes the company’s policies governing how often a risk assessment should be conducted, methods used, who should be involved, and who is to receive a copy of the report
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Controlling Access and Protecting Value (1 of 2)
Importance of internal access controls
Salary and benefit information
Importance of external access controls
Trade secrets, business plans
Implementation of access controls with respect to contractors, vendors, and third parties
Contractors
Conflicts of interest
Security safeguards for equipment
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Controlling Access and Protecting Value (2 of 2)
Vendors
Client company responsible to ensure vendor has access controls in place
Use contractual obligations to specify required safeguards
Other third parties
Owner of property is responsible to ensure it’s handled securely
Conduct due diligence and investigate third party’s access control policies
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Case Studies and Examples
Case Study in Access Control Success
Acme Insurance
Customer data in an information store
Sharing data incorrectly could violate federal law or expose proprietary information
Solution: Multilayered access control list
Case Study in Access Control Failure
Company X
Physical security breach resulted in exposure of trade secrets
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Summary
Business requirements for asset protection
Classification of information
Business drivers for access control
Privacy and privacy laws
Copyright © 2021 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
.MsftOfcThm_Accent2_lumMod_75_Stroke { stroke:#C1360D; }
.MsftOfcThm_Text1_Stroke { stroke:#3C4743; }
.MsftOfcThm_Accent2_lumMod_60_lumOff_40_Stroke { stroke:#F6977B; }
.MsftOfcThm_Accent5_lumMod_60_lumOff_40_Stroke { stroke:#37FFD3; }