© itt educational services, inc. all rights reserved.page 1 is3230 access security © itt...
TRANSCRIPT
© ITT Educational Services, Inc. All rights reserved.Page 1IS3230 Access Security © ITT Educational Services, Inc. All rights reserved.
IS3230 Access Security
Unit 4
Developing Access Control Policy Framework
© ITT Educational Services, Inc. All rights reserved.Page 2IS3230 Access Security
Class Agenda 10/8/15
Learning Objectives Lesson Presentation and Discussions. Discussion of class project Lab Activities will be performed in class.. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: Submit all Assignment and labs due
today.
© ITT Educational Services, Inc. All rights reserved.Page 3IS3230 Access Security
Learning Objective and Key ConceptsLearning Objective Develop an access control policy framework consisting of
best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.
Key Concepts Regulatory laws concerning unauthorized access Security breaches Organization-wide authorization and access policy Access control and data classification policies
© ITT Educational Services, Inc. All rights reserved.Page 4IS3230 Access Security
Regulatory laws concerning unauthorized accessRegulators have created a large and
growing set of regulations and frameworks aimed at enforcing protection of information, privacy, and transparency of information.
For example, HIPAA for healthcare, GLBA for financial services, and Sarbanes-Oxley for public companies.
© ITT Educational Services, Inc. All rights reserved.Page 5IS3230 Access Security
Motivation
Congress to passed Sarbanes-Oxley Act of 2002 (SOX)
To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities law.
All of these systems employ relational databases, and these projects include database security and auditing implementations.
© ITT Educational Services, Inc. All rights reserved.Page 6IS3230 Access Security
Gramm-Leach-Bliley Act (GLBA)
Also called Financial Services Modernization Act or Citigroup Relief Act.
Defines various requirements designed to protect the privacy of customers financial institution.
© ITT Educational Services, Inc. All rights reserved.Page 7IS3230 Access Security
Gramm-Leach-Bliley Act (GLBA)
Ensure the security and privacy of customer information
Protect against threats to the security and integrity of customer information
Protect against unauthorized access and/or usage of this information that could result in harm or inconvenience to the customer
© ITT Educational Services, Inc. All rights reserved.Page 8IS3230 Access Security
Sarbanes-Oxley Act of 2002 (SOX or SarBox)
SOA addresses many areas that affect the accuracy and transparency of financial reporting.
To enforces accountability for financial record keeping and reporting at publicly traded corporations
© ITT Educational Services, Inc. All rights reserved.Page 9IS3230 Access Security
Sarbanes-Oxley Act of 2002 (SOX or SarBox)
IT people focus on Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting.
© ITT Educational Services, Inc. All rights reserved.Page 10IS3230 Access Security
Sarbanes-Oxley Act of 2002 (SOX or SarBox)
It requires management’s development and monitoring of procedures and controls for making assertions about the Adequacy of internal controls over financial reporting.
It is management’s responsibility and can not be delegated or abdicated. Document and evaluate the design and operation of its internal control.
© ITT Educational Services, Inc. All rights reserved.Page 11IS3230 Access Security
Health Insurance Portability and Accountability Act of 1996 (HIPAA)Objective• Guarantee health insurance coverage of
employees• Reduce health care fraud and abuse• Protect the health information of
individuals against access without consent or authorization
© ITT Educational Services, Inc. All rights reserved.Page 12IS3230 Access Security
Access Control Policy Framework Identifies the importance of
protecting assets and leading practices to achieve protection
Beneficial for documenting management understanding and commitment to asset protection
© ITT Educational Services, Inc. All rights reserved.Page 13IS3230 Access Security
Policy Mapping
13
Functional Policies
Procedures Standards Guidelines Baselines
Laws, Regulations, Requirements, Organizational Goals, Objectives
General Organizational Policies
© ITT Educational Services, Inc. All rights reserved.Page 14IS3230 Access Security
Policies
Policies are statements of management intentions and goals
Senior Management support and approval is vital to success
General, high-level objectives Acceptable use, internet access, logging,
information security, etc
14
© ITT Educational Services, Inc. All rights reserved.Page 15IS3230 Access Security
Procedures
Procedures are detailed steps to perform a specific task
Usually required by policy Decommissioning resources, adding user
accounts, deleting user accounts, change management, etc
15
© ITT Educational Services, Inc. All rights reserved.Page 16IS3230 Access Security
Standards
Standards specify the use of specific technologies in a uniform manner
Requires uniformity throughout the organization Operating systems, applications, server tools,
router configurations, etc
16
© ITT Educational Services, Inc. All rights reserved.Page 17IS3230 Access Security
Guidelines
Guidelines are recommended methods for performing a task
Recommended, but not required Malware cleanup, spyware removal, data
conversion, sanitization, etc
17
© ITT Educational Services, Inc. All rights reserved.Page 18IS3230 Access Security
Baselines
Baselines are similar to standards but account for differences in technologies and versions from different vendors
Operating system security baselines• FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat
Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc
18
© ITT Educational Services, Inc. All rights reserved.Page 19IS3230 Access Security
Access Control Policies Explicitly state responsibilities and
accountabilities for achieving the framework principles
Establish and embed management’s commitment
Authorize the expenditure of resources Inform those who need to know Provide later documents for consultation
to verify achievement of objectives
© ITT Educational Services, Inc. All rights reserved.Page 20IS3230 Access Security
Access Control Procedures and GuidelinesProcedures:Tell how to do somethingStep-by-step means to accomplish a taskBecome “knowledge” transfer
© ITT Educational Services, Inc. All rights reserved.Page 21IS3230 Access Security
Access Control Procedures and Guidelines (Continued)Guidelines:Are generally accepted practicesNot mandatory Allow implementation May achieve objective through alternate
means
© ITT Educational Services, Inc. All rights reserved.Page 22IS3230 Access Security
Password Management ControlsLog accesses and monitor activitiesValidation programsEnforce password changes at reasonable
intervalsExpiry policy to lock accounts after a
period of nonuse
© ITT Educational Services, Inc. All rights reserved.Page 23IS3230 Access Security
Password Management Controls (Continued)Audit logs to review for successful and
failed attemptsPassword policyPrivacy policy
© ITT Educational Services, Inc. All rights reserved.Page 24IS3230 Access Security
Password Control IssuesUsers:
• Choose easy to guess passwords• Share passwords• Often forget passwordsPassword vulnerable to hacker attacks
© ITT Educational Services, Inc. All rights reserved.Page 25IS3230 Access Security
Discussion on Security Breaches
© ITT Educational Services, Inc. All rights reserved.Page 26IS3230 Access Security
Access Control Failures
People: insiders and outsiders.
Technology
© ITT Educational Services, Inc. All rights reserved.Page 27IS3230 Access Security
Access Control PrinciplesMinimal privilege or exposureRegular monitoring of access privilegesNeed to know basis for allowing access Physical, logical, and integrated access
controlsMonitor logs and correlate events across
systems
© ITT Educational Services, Inc. All rights reserved.Page 28IS3230 Access Security
Layered Security and Defense-in-Depth Mechanisms
Need to Know
Physical RBAC
MACLeast
Privilege
Layered Security
Defense-in-DepthSecurity
Firewalls
Intrusion Prevention System
(IPS)/Intrusion Detection
System (IDS)
Operating System (OS)
© ITT Educational Services, Inc. All rights reserved.Page 29IS3230 Access Security
Type of Threat Organizations Reporting Issue
Misuse of Portable Storage 57 %
Software Downloading 56 %
Peer to Peer (P2P) File Sharing
54 %
Remote Access Programs 53 %
Rogue Wireless Fidelity (Wi-Fi) Access Points
48 %
Rogue Modems 47 %
Prevalent Insider Threats
© ITT Educational Services, Inc. All rights reserved.Page 30IS3230 Access Security
Type of Threat Organizations Reporting Issue
Media Downloading 40 %
Personal Digital Assistants (PDAs)
40 %
Unauthorized Blogging 25 %
Personal Instant Message (IM) Accounts
24 %
Misuse of Portable Storage 57 %
Prevalent Insider Threats (Continued)
By Edward Cone on 2009-03-25: The survey included 100 IT security professionals and executives
© ITT Educational Services, Inc. All rights reserved.Page 31IS3230 Access Security
Type of Threat Organizations Reporting Issue
Misuse of Portable Storage 57 %
Software Downloading 56 %
Peer to Peer (P2P) File Sharing 54 %
Remote Access Programs 53 %
Rogue Wireless Fidelity (Wi-Fi) Access Points
48 %
Prevalent Insider Threats
© ITT Educational Services, Inc. All rights reserved.Page 32IS3230 Access Security
Type of Threat Organizations Reporting Issue
Rogue Modems 47 %
Media Downloading 40 %
Personal Digital Assistants (PDAs)
40 %
Unauthorized Blogging 25 %
Personal Instant Message (IM) Accounts
24 %
Misuse of Portable Storage 57 %
Prevalent Insider Threats (Continued)
© ITT Educational Services, Inc. All rights reserved.Page 33IS3230 Access Security
What functions do the users perform?Are any of the functions incompatible?Do some of the functions cause conflicts
of duties?How will conflicting duties or functions be
evaluated and reviewed? How will separation of duties be reviewed
and approved?
How Much Access will the User Need?
© ITT Educational Services, Inc. All rights reserved.Page 34IS3230 Access Security
What internal controls, administrative, technical, and operational, are in place?
Who will review the controls and how often?Will information be shared internally,
externally, or both? Is approval required before sharing data
externally? Is a data classification policy in place?
How Much Access will the User Need? (Continued)
© ITT Educational Services, Inc. All rights reserved.Page 35IS3230 Access Security
Contract strategic partner and legal requirements
Authentication methods, data classification, and data storage and recovery
Means of sharing dataMonitor access and violationsService level agreements
Third Party Considerations
© ITT Educational Services, Inc. All rights reserved.Page 36IS3230 Access Security
Security Awareness Training FactsInformation technology (IT) security surveys conducted by well-known accounting firms found the following: Many organizations have some awareness
training. Most awareness programs omitted important
elements. Less than 25% of organizations had no way
to track awareness program effectiveness. Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx
© ITT Educational Services, Inc. All rights reserved.Page 37IS3230 Access Security
Class ProjectResearch and write 3 pages Access
security policy for a organization.Use the appropriate research writing style
recommended by the SchoolSubmit your research outline in the next
class.
© ITT Educational Services, Inc. All rights reserved.Page 38IS3230 Access Security
Lab Activities
Lab # 4: Identify and Classify Data for Access Control Equipment.
Complete the lab activities and submit the answers to the next class.
© ITT Educational Services, Inc. All rights reserved.Page 39IS3230 Access Security
Unit 4 Assignments
Complete Chapter 4 Assessment-Page 95 and 96
Question 1 to 12 Print and Submit in the next class.
Reading assignment: Read Chapters 5 before the next class.