lab 1
tukaz2005
lab.pdf
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
Introduction
No access control system is perfect. The reality of operating any complex technical system is that it will always have deficiencies that could risk the organization. In the grander scheme of things, those risks are just a few of the many risks that the organization balances on a daily basis. Risk assessments provide a mechanism for organizations to identify and evaluate risks they face and develop a prioritized list of actions they may take to reduce those risks to an acceptable level. Cybersecurity professionals often find themselves responsible for conducting risk assessments using industry standards. These standards may come as sets of best practices from industry organizations or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security professionals conducting assessments against these standards will normally review the standard and compare it with the security controls currently in place. This produces a gap analysis that identifies areas in which the organization deviates from the requirement. Security professionals then develop a prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very important to prioritize that list, as there are often far too many risks to address all of them and the organization should spend its limited resources addressing those that pose the most significant risk. When encountering risks, organizations have four different options for handling the risk:
Risk mitigation includes activities designed to reduce the likelihood or impact of a risk. Risk avoidance changes business practices to render a risk irrelevant. Risk transference moves the impact of the risk to another organization. Risk acceptance decides to continue operations as normal despite the risk.
In this lab, you will learn about the risk assessment process for access control systems. After reviewing the requirements of two regulatory standards covering access control systems, you will review a scenario and conduct a risk assessment of the access control system in that scenario. You will then design a set of remediation activities that would address those risks.
Lab Overview
This lab has two parts, which should be completed in the order specified.
1. In the first part of the lab, you will explore two different risk-assessment models that may be applied to access control systems.
Page 1 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
2. In the second part of the lab, you will apply one of those models to conduct a compliance risk assessment of an access control system. You will then identify actions that you can take to remediate any deficiencies identified during your risk assessment.
Finally, if assigned by your instructor, you will complete a series of challenge exercises that allow you to use the skills you learned in the lab to conduct independent, unguided work - similar to what you will encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Explain the risk assessment process.
2. Describe the differences between the levels of specification in the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
3. Given a scenario, identify risks in an access control system.
4. Given a scenario, design remediation activities to mitigate risks.
Deliverables
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
Comparison of the PCI DSS and HIPAA access control requirements Listing of five control gaps Listing of five remediation strategies Challenge Exercise (if assigned)
Page 2 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
Guided Exercises
Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab to produce the expected deliverable(s).
1. Review the Common Lab Tasks for Theory Labs document.
Frequently performed tasks, such as recording your answers and downloading your Lab Report, are explained in the Common Lab Tasks for Theory Labs document. You should review these tasks before starting the lab.
2. Proceed with Part 1.
Part 1: Research Risk Assessment Standards
Note: In this part of the lab, you will review the access control requirements created by two different regulatory standards. The Payment Card Industry Data Security Standard (PCI DSS) is a self- regulatory standard imposed upon all businesses involved in the processing of credit card transactions. It contains over 10 pages of detailed requirements for access control systems. The HIPAA Security Rule is a higher-level standard that provides implementation guidance for securing systems that process electronic protected health information.
1. In your browser, navigate to https://www.pcisecuritystandards.org/ and retrieve a copy of the current version of the Payment Card Industry Data Security Standard (PCI DSS) from the website’s document library.
PCI DSS is a regulatory framework for organizations involved in the storage, processing, and transmission of credit card information. The standard is quite lengthy and covers many aspects of cybersecurity. The 12 major requirements in this standard are often described as the “Digital Dozen” of credit card security.
2. Review the “Implement Strong Access Control Measures” section of the PCI DSS document.
This section includes three requirements, each of which has several pages of detail:
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Page 3 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
Requirement 9: Restrict physical access to cardholder data.
3. In your browser, navigate to https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa- simplification-201303.pdf and review Section 164.312 of the HIPAA Security Rule on pages 66-67.
This section provides the technical safeguards required for operating a HIPAA-compliant system, including the standards for access control.
4. Compare the requirements for access control systems in the PCI DSS to those in the HIPAA Security Rule. Describe the level of detail found in each standard and how each standard might be easier and more challenging to meet compared with the other.
Part 2: Conduct a Risk Assessment
Note: In this part of the lab, you will review an access control system against the PCI DSS risk assessment framework. Your task is to identify any gaps that might exist between the existing system and the requirements in the standard. You are the security administrator for Ricky’s Fried Chicken, a franchised fried chicken restaurant. The restaurant accepts credit cards and, as such, is subject to the provisions of PCI DSS. You are conducting a risk assessment of the point-of-sale (POS) system used by the chain against the access control provisions of PCI DSS. The POS uses the architecture shown below:
Page 4 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
POS Architecture The links between the data center and the stores are all over strongly encrypted VPN connections. Currently, each cashier has the ability to log on to the POS system at any store. Managers have the ability to log on to the POS systems, as well as the back-end servers. Cashiers use generic “cashier1,” “cashier2,” and “cashier3” accounts while managers each have personal accounts. All users log on using a strong password. The organization has the following password requirements:
Passwords must be at least eight characters long and must be changed every 180 days.
Users are locked out for one hour after 10 unsuccessful login attempts.
Users are logged out after 10 minutes of inactivity.
The organization has written cardholder security policies and managers and IT staff review them on an annual basis, signing logs to document their review. IT staff conduct a semiannual review to remove
Page 5 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
the accounts of any managers who have left the organization.
1. Conduct a risk analysis of this environment using the version of PCI DSS that you downloaded in Part 1 of this lab. Document at least five control gaps that exist in the environment. You may make assumptions about information not provided in this scenario, if necessary.
2. Identify controls that will mitigate each of the five deficiencies you identified in the previous step. Create a prioritized list of these actions.
Page 6 of 7
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02
Challenge Exercise
Note: The following exercise is provided to allow independent, unguided work - similar to what you will encounter in a real situation.
For this part of the lab, you should consider a technology system that you are familiar with from either your employment, academic institution, and/or personal life. Answer the following questions for the system:
1. What risk assessment standard would be the best approach for evaluating this system? Depending on the system, you may use one of the standards already discussed in this lab or identify an alternative standard more appropriate for your environment. Provide a brief description of the system, identify the standard that you used and describe why it is appropriate for the system.
2. Conduct a risk assessment of the system against those standards to the best of your ability. If you are not familiar with the detailed workings of the systems, you may make assumptions to facilitate your risk assessment. Create a list of the gaps that exist between the system and the standard you used.
3. Develop a prioritized list of risk mitigation activities which, if followed, would address the issues raised in your gap analysis from step 2.
Powered by TCPDF (www.tcpdf.org)
Page 7 of 7
