access control
alokreddy
access_ppt15_l03.pptxAccess Control, Authentication, and Public Key Infrastructure
Lesson 3
Business Drivers for Access Controls
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Analyze how a data classification standard impacts an IT infrastructure’s access control requirements and implementation.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Business requirements for asset protection
Privacy and privacy laws
Privacy regulations compliance
Access control implementation
Data classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data or Information Assets
An intangible asset with no form or substance:
Paper records
Electronic media
Intellectual property stored in people's heads
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Not every staff member or person requesting access to records has the need, requirement, or authority to receive the information or records
Minimizes unauthorized disclosure of sensitive information
Applies primarily to sensitive records
Need to Know
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Must always be balanced with the need to share
Clear delegation of authority from the originator or staff member who originally applied the classification level
Sensitive information disclosed only to trusted individuals
Need to Know (Continued)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required
Physical Security of Sensitive Information
Can/Should this information be shared?
Secure storage and limited access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
DISCOVER: PROCESS
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISACA Model for Business Data Classification
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.
Classified as Public
For use by defined category within job role
Sensitivity-Based Data Classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
| United Nations Classification Levels: STRICTLY CONFIDENTIAL CONFIDENTIAL UNCLASSIFIED |
United Nations Data Classification Scheme
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Electronic Records
United Nations Electronic Data Classification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
14
Data Destruction (Continued)
.
Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
15
Summary
Data or information assets
Need to know
ISACA business data classification
Data classification
Data destruction
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Lab
Configuring Windows File System Permissions
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
If your educational institution included the Jones & Bartlett labs as part of the course curriculum, use this script to introduce the lab:
"In this lesson, you learned about the business drivers for access controls. Information has value, can be classified, and can be used competitively; therefore, requires a well-thought-out access control implementation that furthers the goals of the organization.
In the lab for this lesson, you will continue to explore access controls within the Microsoft Windows environment. You will first design and implement a network folder structure based on a scenario provided in the lab. Next, you will create appropriate security groups to suit the requirements in the scenario and then apply the security groups to the folders you created."
3/30/2015
17
OPTIONAL SLIDES
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
18
The Life Cycle of an Order
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
19
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
19
Accidental Dissemination
of Electronic Information
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
20
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
20
