Practical_assignment-531
Colin Horn
Week2Slides2.pptxAccess Control, Authentication, and Public Key Infrastructure
Lesson 2
Business Drivers for Access Controls
Access Control Policies, Standards, Procedures, and Guidelines
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Data or Information Assets
An intangible asset with no form or substance:
Paper records
Electronic media
Intellectual property stored in people's heads
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Importance of Policy and Senior Management Role
Organizations value intellectual property
Must control access to information to ensure survival
Protecting confidential information involves:
Technical controls
Clear policies and sound business processes that implement those policies
Access control policies are effective only with support of senior executives
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
Classification Schemes
Classification scheme is a method of organizing sensitive information into access levels
Only a person with the approved level of access is allowed to view information
This access is called clearance
Every organization has its own method of determining clearance levels
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
National Security Classification
Unclassified
Confidential
Secret
Top Secret
Corporations
Public
Internal
Sensitive
Highly sensitive
Classification Schemes (Cont.)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Need to know
Requester should not receive access just because of his or her clearance, position, or rank
Requester must establish a valid need to see information
Access should be granted only if information is vital for requester’s official duties
Least privilege
A computer user or program should have only the access needed to carry out its job
Need to Know and Least Privilege
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Declassification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Automatic
Systematic
Mandatory declassification review
Freedom of Information Act request
Business Drivers for Access Control
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Cost-benefit analysis
Risk assessment
Business facilitation
Cost containment
Operational efficiency
IT risk management
The Life Cycle of an Order
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
9
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
9
Controlling Access and Protecting Value
Importance of internal access controls
Importance of external access controls
Implementation of access controls with respect to contractors, vendors, and third parties
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required
Physical Security of Sensitive Information
Can/Should this information be shared?
Secure storage and limited access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.
.
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
12
Data Destruction (Continued)
.
Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
13
U.S. Compliance Laws for Organizations
Compliance ensures that organizations implement more secure business practices
Secure business practices:
Help organizations avoid costs associated with security lapses
Can enhance customer confidence
Adhering to requirements is usually costly and time-consuming
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Gramm-Leach Bliley Act (GLBA)
The Financial Modernization Act of 1999
Protects personal financial information held by financial institutions
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Pronounced “glibba”
15
GLBA Rules to Protect Consumer Financial Information
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Pretexting (social engineering)
The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter.
The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.
16
Privacy Rule
Safeguard Rule
Pretexting Rule
GLBA and Access Control
Organization should define who can access data and for how long
Access to sensitive data must be logged
Data security encompasses:
Storage
Policies
Procedures
Equipment that holds sensitive data
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Protects the privacy and security of certain health information
Office for Civil Rights (OCR) enforces the privacy and security rules
Financial penalties for non-compliance
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
HIPAA Rules
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Privacy Rule
Transactions and Codes Set Rule
Unique Identifier Standards Rule
Security Rule
Enforcement Rule
HIPAA Privacy Rule vs. HIPAA Security Rule
| HIPAA Privacy Rule | HIPAA Security Rule |
| Privacy of individually identifiable health information | Security standards for the protection of electronic protected health information. |
| National standards for the protection of certain health information | Protects certain health information that is held or transferred in electronic form |
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sarbanes-Oxley (SOX)
Protect investors by requiring accuracy and reliability in corporate disclosures
Created new standards for corporate accountability
Created new penalties for acts of wrongdoing, both civil and criminal
Changes how corporate boards and executives must exchange information and work with corporate auditors
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
21
Sarbanes-Oxley (SOX) (Continued)
Specifies new financial reporting requirements
Requires all financial reports to include an internal control report
Auditing firms are also required to attest to the accuracy of the assessment
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Critical Sections of Sarbanes-Oxley Act
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sec. 201
Services outside scope of auditor practice
Sec. 302
Corporate responsibility for financial reports
Sec. 404
Assessment of internal controls
Sec. 409
Real time issuer disclosures
Critical Sections of Sarbanes-Oxley Act
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sec. 802
Criminal penalties for altering documents
Sec. 806
Protection of employees exposing fraud
Sec. 807
Criminal penalties for defrauding shareholders
Family Educational Rights and Privacy Act (FERPA)
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Right to inspect and review student education records
Right to request that a school correct inaccurate or misleading records
Schools required to secure written permission from parent or eligible student to release information from student education record
3/5/17
(c) Jones and Bartlett Learning
25
Right to inspect and review
Right to correct records
Parental written permission required
Items Exempt from FERPA
Private notes made by faculty or staff for the purpose of assisting memory
Law enforcement records
Medical records
Statistical data that does not contain personally identifiable information
Pre-graded materials before the final grade is determined by the faculty
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Directory Information
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Student and parents must be informed and raise no objectives
3/5/17
(c) Jones and Bartlett Learning
27
Name
Address
Telephone number
Dates of attendance
Degree earned
Enrollment status
E-mail address
Field of study
Communications Assistance for Law Enforcement Act (CALEA)
Requires telecommunications carriers and equipment makers used by telecommunications industry to facilitate electronic surveillance activities of law enforcement agencies
Firms subject to CALEA must cooperate with legitimate law enforcement requests
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Children’s Internet Protection Act (CIPA) Requirements
Schools and libraries must
Use technology protection measures
Protect children from exposure to offensive Internet content
Adopt and enforce a policy to monitor the online activities of minors
Minors are those 17 years of age or less
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Title 21 CFR Part 11 of the Code of Federal Regulations
Calls for all FDA-regulated organizations to implement:
System access limited to authorized individuals
The use of operational system checks
The use of authority checks
The use of device checks
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Title 21 CFR Part 11 of the Code of Federal Regulations (Cont.)
Calls for all FDA-regulated organizations to implement:
Appropriate education and task training for anyone who develops, maintains, or uses electronic systems
Appropriate controls for documentation in place
Controls for both open systems and closed system requirements related to electronic signatures
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
North American Electric Reliability Council (NERC)
Handles regulation of energy and utility companies
Ensures that North American energy network is secure, adequate, and reliable
Requires physical protective measures for critical infrastructures
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
North American Electric Reliability Council (NERC)
Electronic security guidelines include procedures meant to provide protective measures for assets
Must do background checks for employees and contractors
Must provide training for anyone with access to energy or utility infrastructure
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Homeland Security Presidential Directive 12 (HSPD 12)
Initiated to enforce the standardization of security identification credentials for government employees and contractors
Part 1 covers common identification, security, and privacy requirements
Part 2 deals with the uniformity and portability of identification
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Security Policy Best Practices: Private Sector
Define an authorization policy
Implement access controls for:
Facilities
Systems
Applications
Data
Remote access
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Security Policy Best Practices: Public Sector
Conduct periodic risk assessments
Implement policies and procedures based on most recent risk assessment
Create plans for the security of networks, systems, and other resources
Conduct employee and contractor training
Test periodically to ensure that policies and procedures designed to lower risk are working correctly
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Security Policy Best Practices: Public Sector
Create processes to address shortcomings in security policies, procedures, and practices
Implement processes for detecting, reporting, and responding to security incidents
Incorporate continuity plans for the organization
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Critical Infrastructure
Supervisory control and data acquisition (SCADA) process control
systems
SCADA systems monitor and control telecommunications,
water and waste control, energy, and transportation,
among other industries and utilities
SCADA systems are a point of risk for the utilities that use them
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
38
SCADA
Supervisory control and data acquisition (SCADA) process control systems
Monitor and control telecommunications, water and waste control, energy, and transportation, among other industries and utilities
Are a point of risk for the utilities that use them
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
39
Access Control Policy Framework
Identifies the importance of protecting assets and leading practices to achieve protection
Beneficial for documenting management understanding and commitment to asset protection
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Policies
Explicitly state responsibilities and accountabilities for achieving the framework principles
Establish and embed management’s commitment
Authorize the expenditure of resources
Inform those who need to know
Provide later documents for consultation to verify achievement of objectives
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Standards
A collection of requirements that must be met by anyone who performs a given task or works on a specific system
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Procedures
Tell how to do something
Step-by-step means to accomplish a task
Become “knowledge” transfer
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Guidelines
Are generally accepted practices
Not mandatory
Allow implementation
May achieve objective through alternate means
Flexibility
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policies for Access Controls
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Acceptable use policy (AUP)
Password policy
Account management policy
Remote access policy
Standards to Support Policies
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
User account standard
Identification standard
Remote access standard
Application development standard
Week 2 Homework Assignment
Read chapters 3 and 4 in textbook
Complete Labs 3 and 4
Complete Quizzes 3 and 4
Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
