Practical_assignment-531

profileColin Horn
Week4Slides2.pptx
Home>Information Systems homework help>Practical_assignment-531

Access Control, Authentication, and Public Key Infrastructure

Lesson 4

Human Nature and Organizational Behavior

Access Control for Information Systems

© ITT Educational Services, Inc. All rights reserved.

Page ‹#›

IS404 Access Control, Authentication and PKI (PKI)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

1

1

Dealing with Human Nature

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

2

The unintentional threat

Hackers and motivation

Social engineering

Pre-Employment Checks

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

3

What Information Can Be Considered

What Information Cannot be Considered

Applicant’s Rights

Consequences of a Bad Hiring Decision

Ongoing Observation of Personnel

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

4

Identify Potentially Disgruntled Employees

Proper Ways to Revoke Access upon Employee Termination

Organizational Structure and Access Control Strategy

Access control model based on organizational structure is designed to prevent social engineering attacks

Employees are given access based on tasks they must complete as part of their job

Access rules are based on balance of confidentiality and necessity

Organizational structure model is similar to the role-based access control (RBAC) model

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

5

Job Rotation and Position Sensitivity

Job rotation minimizes effects of dishonesty

Often used for sensitive positions, especially those that are directly responsible for crucial information and assets

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

6

Requirement for Periodic Vacation

Periodic vacations act as a security measure

Requiring person to take time off from work provides time for evidence of dishonesty to surface

Can also reduce the success of social engineers

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

7

Separation of Duties

Ensures that a single person does not handle all crucial decisions and activities, especially those involving a high level of trust

Goal is to avoid the temptation to commit fraud or other illegal activities

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

8

Two-person control

Collusion

Monitoring and oversight

Responsibilities of Access Owners

Disclosing to users any relevant legal, regulatory, or ethical issues surrounding the use or disclosure of the information

Implementing a data classification system and rating the data according to its sensitivity, confidentiality, inherent value, and other factors

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

9

Responsibilities of Access Owners (Cont.)

Maintaining a list of authorized users

Implementing procedures to safeguard information from unauthorized use, disclosure, alteration, or accidental or intentional destruction

Developing a policy governing data retention and disposition

• Providing users with adequate training in the use and protection of the information

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

10

Training Employees

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

11

Be ongoing

Include multiple formats

Be interactive

Include multiple points of contact

Security Awareness Training Facts

Information technology (IT) security surveys conducted by well-known accounting firms found the following:

Many organizations have some awareness training.

Most awareness programs omitted important elements.

Less than 25% of organizations had no way to track awareness program effectiveness.

Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

12

Ethics

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

13

What is right and what is wrong

Enforcing policies

Human resources involvement

Defining appropriate policies and procedures governing employee behavior

Educating employees about the policies and procedures relevant to them

Discovering and addressing behavioral shortcomings

Encouraging create risk-taking

Best Practices for Managing Human Nature

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

14

User Domain Access Control Management

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

09/23/10

15

The Three States of Data

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data at Rest (DAR)

Stored on some device

Archived records

Data in Motion (DIM)

Sending an e-mail

Retrieving a Web page

Data in Process

Creating a new document

Processing a payment

Use encryption to protect stored data:

Elements in databases

Files on network and shared drives

Files on portable or movable drives, Universal serial bus (USB), and flash drives

Files and shared drives accessible from the Internet

Personal computers (PCs), laptop hard drives, and full disk encryption

Protecting DAR

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

DIM

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Difficult to protect since it is being operated on by the central processing unit (CPU)

Protecting DIP

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Object: An item or a distinct group of information in a data storage system

Group information as an object, set controls at the object level

Allows you to manage groups of related data

Helps with DAR and DIM security

Object-Level Security

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

A security identifier (SID) that identifies what the ACE applies to—the specific user, group or system

An access mask that lists the specific rights granted or denied

Flags to indicate the type of ACE and whether child objects can inherit the rights from the object that the ACE is attached to

Access Control List Properties

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Access Control List Types

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

access-denied

access-allowed

system-audit

DACL and SACL

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Discretionary Access Control List (DACL)

Controls access to an object

System Access Control List (SACL)

Handles the information assurance aspect of access controls

Best Practices for Access Controls for Information Systems

Create a baseline for access

Segregate users’ rights by role

Automate user creation

Tie access controls to the environment

Have a clear standard for decommissioning data storage devices

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Week 4 Homework Assignments

Read Chapters 7 and 8

Complete Labs 7 and 8 and Quizzes

Midterm Exam

50 questions: multiple choice and true/false

60 minutes

ONE attempt

Due Sunday at 11:59 PM EST

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.