Access Control

Read Chapter3  What are the factors that influence the selection of access control software and/or hardware? Discuss all aspects of access control systems. 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Access Control, Authentication, and Public Key Infrastructure

Chapter 3

Business Drivers for Access Controls

© 20

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

1

5 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
1

Data or Information Assets

An intangible asset with no form or substance:

Paper records

Electronic media

Intellectual property stored in people’s heads

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2

Importance of Policy and Senior Management Role
Organizations value intellectual property
Must control access to information to ensure survival
Protecting confidential information involves:
Technical controls
Clear policies and sound business processes that implement those policies
Access control policies are effective only with support of senior executives

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

3

Classification Schemes
Classification scheme is a method of organizing sensitive information into access levels
Only a person with the approved level of access is allowed to view information
This access is called clearance
Every organization has its own method of determining clearance levels

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

4

National Security Classification
Unclassified
Confidential
Secret
Top Secret
Corporations
Public
Internal
Sensitive
Highly sensitive

Classification Schemes (Cont.)

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

5

In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.

Classified as Public
For use by defined category within job role

Sensitivity-Based Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

6

Need to know
Requester should not receive access just because of his or her clearance, position, or rank
Requester must establish a valid need to see information
Access should be granted only if information is vital for requester’s official duties
Least privilege
A computer user or program should have only the access needed to carry out its job

Need to Know and Least Privilege

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7

Declassification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

8

Automatic

Systematic

Mandatory declassification review

Freedom of Information Act request

Business Drivers for Access Control

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

9

Cost-benefit analysis

Risk assessment

Business facilitation

Cost containment

Operational efficiency

IT risk management

Electronic Records

United Nations Electronic Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

10

The Life Cycle of an Order

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
11
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
11

Controlling Access and Protecting Value
Importance of internal access controls
Importance of external access controls
Implementation of access controls with respect to contractors, vendors, and third parties

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

12

Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required

Physical Security of Sensitive Information

Can/Should this information be shared?
Secure storage and limited access

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

13

Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.

.

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
14

Data Destruction (Continued)

.

Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
15

Manage the Identity and Access Provisioning Life Cycle

16

Module Topic
Access Control and Identity Management Life Cycle

‹#›

17

Access Control and Identity Management Life Cycle

‹#›

18
Provisioning

Review

Revocation

Provisioning

‹#›

19

Provisioning entails determining the organizational requirements for access to information, and applies the appropriate access rights

Review

‹#›

20

Access rights and usage must be monitored on a basis commensurate with risk

Reviewing access can take the form of automated checks, manual audits, and several other methods

Revocation

‹#›

21

Through access review, revocation typically is invoked when a user has aggregated unnecessary access, or access is not commensurate with the role of the user

Access Control, Authentication, and Public Key Infrastructure

Lecture 3

Business Drivers for Access Controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Access Control, Authentication, and PKI

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1

Data or Information Assets
An intangible asset with no form or substance:
Paper records
Electronic media
Intellectual property stored in people’s heads

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2

Importance of Policy and Senior Management Role
Organizations value intellectual property
Must control access to information to ensure survival
Protecting confidential information involves:
Technical controls
Clear policies and sound business processes that implement those policies
Access control policies are effective only with support of senior executives

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

3

Classification Schemes
Classification scheme is a method of organizing sensitive information into access levels
Only a person with the approved level of access is allowed to view information
This access is called clearance
Every organization has its own method of determining clearance levels

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

4

National Security Classification
Unclassified
Confidential
Secret
Top Secret
Corporations
Public
Internal
Sensitive
Highly sensitive

Classification Schemes (Cont.)

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

5

In a hospital, for example, a data classification scheme would identify the sensitivity of every piece of data in the hospital, from the cafeteria menu to patient medical records.

Classified as Public
For use by defined category within job role

Sensitivity-Based Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

6

Need to know
Requester should not receive access just because of his or her clearance, position, or rank
Requester must establish a valid need to see information
Access should be granted only if information is vital for requester’s official duties
Least privilege
A computer user or program should have only the access needed to carry out its job

Need to Know and Least Privilege

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7

Declassification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

8

Automatic

Systematic

Mandatory declassification review

Freedom of Information Act request

Business Drivers for Access Control

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

9

Cost-benefit analysis

Risk assessment

Business facilitation

Cost containment

Operational efficiency

IT risk management

Electronic Records

United Nations Electronic Data Classification

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

10

The Life Cycle of an Order

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
09/23/10
(c) ITT Educational Services, Inc.
11
Defense:
Risk: Insecure Direct Object Reference
Use an automated tool for real-time attack.
Monitor parameter manipulation–hidden/static.
Establish baseline configuration.
Risk: Cross-Site Request Forgery
Use an automated tool for real-time attack.
Alert/respond to parameter manipulation.
Use known attack signatures.
Establish baseline/monitor resource changes.
Risk: Security Misconfiguration
Use an automated tool for real-time attack.
Inspect outbound responses.
Investigate application failures.
09/23/10
(c) ITT Educational Services, Inc.
11

Controlling Access and Protecting Value
Importance of internal access controls
Importance of external access controls
Implementation of access controls with respect to contractors, vendors, and third parties

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

12

Refers to security of records and information not in electronic systems and applications
Access is regularly linked to functional responsibilities and not to position or grade
Security or background investigation required

Physical Security of Sensitive Information

Can/Should this information be shared?
Secure storage and limited access

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

13

Data Destruction
Use appropriate secure destruction method for the media and format.
Do not put in trash bins.
Data awaiting destruction should be placed in lockable containers.
Strictly confidential and confidential data is destroyed in accordance with specific guidelines.

.

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
14

Data Destruction (Continued)

.

Shredder/Degausser
Light office shredder/disintegrator
Electronic media
Portable devices
Portable devices

Page ‹#›
Access Control, Authentication, and PKI
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data destroyed in accordance with administrative or operations retention schedule
15

Manage the Identity and Access Provisioning Life Cycle

16

Module Topic
Access Control and Identity Management Life Cycle

‹#›

17

Access Control and Identity Management Life Cycle

‹#›

18
Provisioning

Review

Revocation

Provisioning

‹#›

19

Provisioning entails determining the organizational requirements for access to information, and applies the appropriate access rights

Review

‹#›

20

Access rights and usage must be monitored on a basis commensurate with risk

Reviewing access can take the form of automated checks, manual audits, and several other methods

Revocation

‹#›

21

Through access review, revocation typically is invoked when a user has aggregated unnecessary access, or access is not commensurate with the role of the user

Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
4.9
Sitejabber
4.6
Trustpilot
4.8
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.

Order your essay today and save 30% with the discount code ESSAYHELP