Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition - Lab 02
Introduction
No access control system is perfect. The reality of operating any complex technical system is that it
will always have deficiencies that could risk the organization. In the grander scheme of things, those
risks are just a few of the many risks that the organization balances on a daily basis. Risk
assessments provide a mechanism for organizations to identify and evaluate risks they face and
develop a prioritized list of actions they may take to reduce those risks to an acceptable level.
Cybersecurity professionals often find themselves responsible for conducting risk assessments using
industry standards. These standards may come as sets of best practices from industry organizations
or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security
professionals conducting assessments against these standards will normally review the standard and
compare it with the security controls currently in place. This produces a gap analysis that identifies
areas in which the organization deviates from the requirement. Security professionals then develop a
prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very
important to prioritize that list, as there are often far too many risks to address all of them and the
organization should spend its limited resources addressing those that pose the most significant risk.
When encountering risks, organizations have four different options for handling the risk:
Risk mitigation includes activities designed to reduce the likelihood or impact of a risk.
Risk avoidance changes business practices to render a risk irrelevant.
Risk transference moves the impact of the risk to another organization.
Risk acceptance decides to continue operations as normal despite the risk.
In this lab, you will learn about the risk assessment process for access control systems. After
reviewing the requirements of two regulatory standards covering access control systems, you will
review a scenario and conduct a risk assessment of the access control system in that scenario. You
will then design a set of remediation activities that would address those risks.
Lab Overview
This lab has two parts, which should be completed in the order specified.
1. In the first part of the lab, you will explore two different risk-assessment models that may be
applied to access control systems.
Page 1 of 7
Conducting a Risk Assessment of an Access Control System (3e)
Access Control and Identity Management, Third Edition - Lab 02
2. In the second part of the lab, you will apply one of those models to conduct a compliance risk
assessment of an access control system. You will then identify actions that you can take to
remediate any deficiencies identified during your risk assessment.
Finally, if assigned by your instructor, you ...
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
Conducting a Risk Assessment of an Access Control System (3e)
1. Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
02
Introduction
No access control system is perfect. The reality of operating any
complex technical system is that it
will always have deficiencies that could risk the organization.
In the grander scheme of things, those
risks are just a few of the many risks that the organization
balances on a daily basis. Risk
assessments provide a mechanism for organizations to identify
and evaluate risks they face and
develop a prioritized list of actions they may take to reduce
those risks to an acceptable level.
Cybersecurity professionals often find themselves responsible
for conducting risk assessments using
industry standards. These standards may come as sets of best
practices from industry organizations
or, commonly, as regulatory requirements imposed by
governments or self-regulatory bodies. Security
professionals conducting assessments against these standards
will normally review the standard and
compare it with the security controls currently in place. This
produces a gap analysis that identifies
areas in which the organization deviates from the requirement.
Security professionals then develop a
prioritized set of remediation activities that mitigate those risks
to an acceptable level. It is very
2. important to prioritize that list, as there are often far too many
risks to address all of them and the
organization should spend its limited resources addressing those
that pose the most significant risk.
When encountering risks, organizations have four different
options for handling the risk:
Risk mitigation includes activities designed to reduce the
likelihood or impact of a risk.
Risk avoidance changes business practices to render a risk
irrelevant.
Risk transference moves the impact of the risk to another
organization.
Risk acceptance decides to continue operations as normal
despite the risk.
In this lab, you will learn about the risk assessment process for
access control systems. After
reviewing the requirements of two regulatory standards
covering access control systems, you will
review a scenario and conduct a risk assessment of the access
control system in that scenario. You
will then design a set of remediation activities that would
address those risks.
Lab Overview
This lab has two parts, which should be completed in the order
specified.
1. In the first part of the lab, you will explore two different
risk-assessment models that may be
3. applied to access control systems.
Page 1 of 7
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
02
2. In the second part of the lab, you will apply one of those
models to conduct a compliance risk
assessment of an access control system. You will then identify
actions that you can take to
remediate any deficiencies identified during your risk
assessment.
Finally, if assigned by your instructor, you will complete a
series of challenge exercises that allow you
to use the skills you learned in the lab to conduct independent,
unguided work - similar to what you will
encounter in a real-world situation.
Learning Objectives
Upon completing this lab, you will be able to:
1. Explain the risk assessment process.
2. Describe the differences between the levels of specification
in the Payment Card Industry Data
Security Standard (PCI DSS) and the Health Insurance
Portability and Accountability Act
4. (HIPAA) Security Rule.
3. Given a scenario, identify risks in an access control system.
4. Given a scenario, design remediation activities to mitigate
risks.
Deliverables
Upon completion of this lab, you are required to provide the
following deliverables to your instructor:
Comparison of the PCI DSS and HIPAA access control
requirements
Listing of five control gaps
Listing of five remediation strategies
Challenge Exercise (if assigned)
Page 2 of 7
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
02
Guided Exercises
Note: In this section of the lab, you will follow a step-by-step
walk-through of the objectives for this lab
to produce the expected deliverable(s).
1. Review the Common Lab Tasks for Theory Labs document.
5. Frequently performed tasks, such as recording your answers and
downloading your Lab
Report, are explained in the Common Lab Tasks for Theory
Labs document. You should
review these tasks before starting the lab.
2. Proceed with Part 1.
Part 1: Research Risk Assessment Standards
Note: In this part of the lab, you will review the access control
requirements created by two different
regulatory standards. The Payment Card Industry Data Security
Standard (PCI DSS) is a self-
regulatory standard imposed upon all businesses involved in the
processing of credit card
transactions. It contains over 10 pages of detailed requirements
for access control systems. The
HIPAA Security Rule is a higher-level standard that provides
implementation guidance for securing
systems that process electronic protected health information.
1. In your browser, navigate to
https://www.pcisecuritystandards.org/ and retrieve a copy of
the current version of the Payment Card Industry Data Security
Standard (PCI DSS) from the
website’s document library.
PCI DSS is a regulatory framework for organizations involved
in the storage, processing, and
transmission of credit card information. The standard is quite
lengthy and covers many aspects
of cybersecurity. The 12 major requirements in this standard are
often described as the
“Digital Dozen” of credit card security.
6. 2. Review the “Implement Strong Access Control Measures”
section of the PCI DSS document.
This section includes three requirements, each of which has
several pages of detail:
Requirement 7: Restrict access to cardholder data by business
need to know.
Requirement 8: Identify and authenticate access to system
components.
Page 3 of 7
https://jbl-lti.hatsize.com/uploads/Common-Lab-Tasks-for-
Theory-Labs.pdf
https://www.pcisecuritystandards.org/
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
02
Requirement 9: Restrict physical access to cardholder data.
3. In your browser, navigate to
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admini
strative/combined/hipaa-
simplification-201303.pdf and review Section 164.312 of the
HIPAA Security Rule on pages
66-67.
This section provides the technical safeguards required for
operating a HIPAA-compliant
system, including the standards for access control.
7. 4. Compare the requirements for access control systems in the
PCI DSS to those in the HIPAA
Security Rule. Describe the level of detail found in each
standard and how each standard
might be easier and more challenging to meet compared with the
other.
Part 2: Conduct a Risk Assessment
Note: In this part of the lab, you will review an access control
system against the PCI DSS risk
assessment framework. Your task is to identify any gaps that
might exist between the existing system
and the requirements in the standard.
You are the security administrator for Ricky’s Fried Chicken, a
franchised fried chicken restaurant.
The restaurant accepts credit cards and, as such, is subject to
the provisions of PCI DSS. You are
conducting a risk assessment of the point-of-sale (POS) system
used by the chain against the access
control provisions of PCI DSS.
The POS uses the architecture shown below:
Page 4 of 7
Highlight
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
8. 02
POS Architecture
The links between the data center and the stores are all over
strongly encrypted VPN connections.
Currently, each cashier has the ability to log on to the POS
system at any store. Managers have the
ability to log on to the POS systems, as well as the back-end
servers. Cashiers use generic
“cashier1,” “cashier2,” and “cashier3” accounts while managers
each have personal accounts.
All users log on using a strong password. The organization has
the following password requirements:
Passwords must be at least eight characters long and must be
changed every 180 days.
Users are locked out for one hour after 10 unsuccessful login
attempts.
Users are logged out after 10 minutes of inactivity.
The organization has written cardholder security policies and
managers and IT staff review them on an
annual basis, signing logs to document their review. IT staff
conduct a semiannual review to remove
Page 5 of 7
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
9. 02
the accounts of any managers who have left the organization.
1. Conduct a risk analysis of this environment using the version
of PCI DSS that you downloaded
in Part 1 of this lab. Document at least five control gaps that
exist in the environment. You
may make assumptions about information not provided in this
scenario, if necessary.
2. Identify controls that will mitigate each of the five
deficiencies you identified in the previous
step. Create a prioritized list of these actions.
Page 6 of 7
Conducting a Risk Assessment of an Access Control System
(3e)
Access Control and Identity Management, Third Edition - Lab
02
Challenge Exercise
Note: The following exercise is provided to allow independent,
unguided work - similar to what you will
encounter in a real situation.
For this part of the lab, you should consider a technology
system that you are familiar with from either
your employment, academic institution, and/or personal life.
Answer the following questions for the
system:
10. 1. What risk assessment standard would be the best approach for
evaluating this system?
Depending on the system, you may use one of the standards
already discussed in this lab or
identify an alternative standard more appropriate for your
environment. Provide a brief
description of the system, identify the standard that you used
and describe why it is
appropriate for the system.
2. Conduct a risk assessment of the system against those
standards to the best of your ability. If
you are not familiar with the detailed workings of the systems,
you may make assumptions to
facilitate your risk assessment. Create a list of the gaps that
exist between the system and the
standard you used.
3. Develop a prioritized list of risk mitigation activities which,
if followed, would address the
issues raised in your gap analysis from step 2.
Powered by TCPDF (www.tcpdf.org)
Page 7 of 7
http://www.tcpdf.org