SlideShare a Scribd company logo

Conducting a Risk Assessment of an Access Control System (3e)

Download as DOCX, PDF
A
AlleneMcclendon878

Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Introduction No access control system is perfect. The reality of operating any complex technical system is that it will always have deficiencies that could risk the organization. In the grander scheme of things, those risks are just a few of the many risks that the organization balances on a daily basis. Risk assessments provide a mechanism for organizations to identify and evaluate risks they face and develop a prioritized list of actions they may take to reduce those risks to an acceptable level. Cybersecurity professionals often find themselves responsible for conducting risk assessments using industry standards. These standards may come as sets of best practices from industry organizations or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security professionals conducting assessments against these standards will normally review the standard and compare it with the security controls currently in place. This produces a gap analysis that identifies areas in which the organization deviates from the requirement. Security professionals then develop a prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very important to prioritize that list, as there are often far too many risks to address all of them and the organization should spend its limited resources addressing those that pose the most significant risk. When encountering risks, organizations have four different options for handling the risk: Risk mitigation includes activities designed to reduce the likelihood or impact of a risk. Risk avoidance changes business practices to render a risk irrelevant. Risk transference moves the impact of the risk to another organization. Risk acceptance decides to continue operations as normal despite the risk. In this lab, you will learn about the risk assessment process for access control systems. After reviewing the requirements of two regulatory standards covering access control systems, you will review a scenario and conduct a risk assessment of the access control system in that scenario. You will then design a set of remediation activities that would address those risks. Lab Overview This lab has two parts, which should be completed in the order specified. 1. In the first part of the lab, you will explore two different risk-assessment models that may be applied to access control systems. Page 1 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 2. In the second part of the lab, you will apply one of those models to conduct a compliance risk assessment of an access control system. You will then identify actions that you can take to remediate any deficiencies identified during your risk assessment. Finally, if assigned by your instructor, you ...

Education
1 of 10
Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Introduction No access control system is perfect. The reality of operating any complex technical system is that it will always have deficiencies that could risk the organization. In the grander scheme of things, those risks are just a few of the many risks that the organization balances on a daily basis. Risk assessments provide a mechanism for organizations to identify and evaluate risks they face and develop a prioritized list of actions they may take to reduce those risks to an acceptable level. Cybersecurity professionals often find themselves responsible for conducting risk assessments using industry standards. These standards may come as sets of best practices from industry organizations or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security professionals conducting assessments against these standards will normally review the standard and compare it with the security controls currently in place. This produces a gap analysis that identifies areas in which the organization deviates from the requirement. Security professionals then develop a prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very
important to prioritize that list, as there are often far too many risks to address all of them and the organization should spend its limited resources addressing those that pose the most significant risk. When encountering risks, organizations have four different options for handling the risk: Risk mitigation includes activities designed to reduce the likelihood or impact of a risk. Risk avoidance changes business practices to render a risk irrelevant. Risk transference moves the impact of the risk to another organization. Risk acceptance decides to continue operations as normal despite the risk. In this lab, you will learn about the risk assessment process for access control systems. After reviewing the requirements of two regulatory standards covering access control systems, you will review a scenario and conduct a risk assessment of the access control system in that scenario. You will then design a set of remediation activities that would address those risks. Lab Overview This lab has two parts, which should be completed in the order specified. 1. In the first part of the lab, you will explore two different risk-assessment models that may be
applied to access control systems. Page 1 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 2. In the second part of the lab, you will apply one of those models to conduct a compliance risk assessment of an access control system. You will then identify actions that you can take to remediate any deficiencies identified during your risk assessment. Finally, if assigned by your instructor, you will complete a series of challenge exercises that allow you to use the skills you learned in the lab to conduct independent, unguided work - similar to what you will encounter in a real-world situation. Learning Objectives Upon completing this lab, you will be able to: 1. Explain the risk assessment process. 2. Describe the differences between the levels of specification in the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule. 3. Given a scenario, identify risks in an access control system. 4. Given a scenario, design remediation activities to mitigate risks. Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: Comparison of the PCI DSS and HIPAA access control requirements Listing of five control gaps Listing of five remediation strategies Challenge Exercise (if assigned) Page 2 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Guided Exercises Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab to produce the expected deliverable(s). 1. Review the Common Lab Tasks for Theory Labs document.
Frequently performed tasks, such as recording your answers and downloading your Lab Report, are explained in the Common Lab Tasks for Theory Labs document. You should review these tasks before starting the lab. 2. Proceed with Part 1. Part 1: Research Risk Assessment Standards Note: In this part of the lab, you will review the access control requirements created by two different regulatory standards. The Payment Card Industry Data Security Standard (PCI DSS) is a self- regulatory standard imposed upon all businesses involved in the processing of credit card transactions. It contains over 10 pages of detailed requirements for access control systems. The HIPAA Security Rule is a higher-level standard that provides implementation guidance for securing systems that process electronic protected health information. 1. In your browser, navigate to https://www.pcisecuritystandards.org/ and retrieve a copy of the current version of the Payment Card Industry Data Security Standard (PCI DSS) from the website’s document library. PCI DSS is a regulatory framework for organizations involved in the storage, processing, and transmission of credit card information. The standard is quite lengthy and covers many aspects of cybersecurity. The 12 major requirements in this standard are often described as the “Digital Dozen” of credit card security.
2. Review the “Implement Strong Access Control Measures” section of the PCI DSS document. This section includes three requirements, each of which has several pages of detail: Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Identify and authenticate access to system components. Page 3 of 7 https://jbl-lti.hatsize.com/uploads/Common-Lab-Tasks-for- Theory-Labs.pdf https://www.pcisecuritystandards.org/ Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Requirement 9: Restrict physical access to cardholder data. 3. In your browser, navigate to https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admini strative/combined/hipaa- simplification-201303.pdf and review Section 164.312 of the HIPAA Security Rule on pages 66-67. This section provides the technical safeguards required for operating a HIPAA-compliant system, including the standards for access control.
4. Compare the requirements for access control systems in the PCI DSS to those in the HIPAA Security Rule. Describe the level of detail found in each standard and how each standard might be easier and more challenging to meet compared with the other. Part 2: Conduct a Risk Assessment Note: In this part of the lab, you will review an access control system against the PCI DSS risk assessment framework. Your task is to identify any gaps that might exist between the existing system and the requirements in the standard. You are the security administrator for Ricky’s Fried Chicken, a franchised fried chicken restaurant. The restaurant accepts credit cards and, as such, is subject to the provisions of PCI DSS. You are conducting a risk assessment of the point-of-sale (POS) system used by the chain against the access control provisions of PCI DSS. The POS uses the architecture shown below: Page 4 of 7 Highlight Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab
02 POS Architecture The links between the data center and the stores are all over strongly encrypted VPN connections. Currently, each cashier has the ability to log on to the POS system at any store. Managers have the ability to log on to the POS systems, as well as the back-end servers. Cashiers use generic “cashier1,” “cashier2,” and “cashier3” accounts while managers each have personal accounts. All users log on using a strong password. The organization has the following password requirements: Passwords must be at least eight characters long and must be changed every 180 days. Users are locked out for one hour after 10 unsuccessful login attempts. Users are logged out after 10 minutes of inactivity. The organization has written cardholder security policies and managers and IT staff review them on an annual basis, signing logs to document their review. IT staff conduct a semiannual review to remove Page 5 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab
02 the accounts of any managers who have left the organization. 1. Conduct a risk analysis of this environment using the version of PCI DSS that you downloaded in Part 1 of this lab. Document at least five control gaps that exist in the environment. You may make assumptions about information not provided in this scenario, if necessary. 2. Identify controls that will mitigate each of the five deficiencies you identified in the previous step. Create a prioritized list of these actions. Page 6 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Challenge Exercise Note: The following exercise is provided to allow independent, unguided work - similar to what you will encounter in a real situation. For this part of the lab, you should consider a technology system that you are familiar with from either your employment, academic institution, and/or personal life. Answer the following questions for the system:
1. What risk assessment standard would be the best approach for evaluating this system? Depending on the system, you may use one of the standards already discussed in this lab or identify an alternative standard more appropriate for your environment. Provide a brief description of the system, identify the standard that you used and describe why it is appropriate for the system. 2. Conduct a risk assessment of the system against those standards to the best of your ability. If you are not familiar with the detailed workings of the systems, you may make assumptions to facilitate your risk assessment. Create a list of the gaps that exist between the system and the standard you used. 3. Develop a prioritized list of risk mitigation activities which, if followed, would address the issues raised in your gap analysis from step 2. Powered by TCPDF (www.tcpdf.org) Page 7 of 7 http://www.tcpdf.org

Recommended

Explain in your own words why it is important to read a statistical .docx
Explain in your own words why it is important to read a statistical .docxExplain in your own words why it is important to read a statistical .docx
Explain in your own words why it is important to read a statistical .docx
AlleneMcclendon878
 
Explain how Matthew editedchanged Marks Gospel for each of the fol.docx
Explain how Matthew editedchanged Marks Gospel for each of the fol.docxExplain how Matthew editedchanged Marks Gospel for each of the fol.docx
Explain how Matthew editedchanged Marks Gospel for each of the fol.docx
AlleneMcclendon878
 
Explain the degree to which media portrayal of crime relates to publ.docx
Explain the degree to which media portrayal of crime relates to publ.docxExplain the degree to which media portrayal of crime relates to publ.docx
Explain the degree to which media portrayal of crime relates to publ.docx
AlleneMcclendon878
 
Explain the difference between genotype and phenotype. Give an examp.docx
Explain the difference between genotype and phenotype. Give an examp.docxExplain the difference between genotype and phenotype. Give an examp.docx
Explain the difference between genotype and phenotype. Give an examp.docx
AlleneMcclendon878
 
Explain the history behind the Black Soldier of the Civil War In t.docx
Explain the history behind the Black Soldier of the Civil War In t.docxExplain the history behind the Black Soldier of the Civil War In t.docx
Explain the history behind the Black Soldier of the Civil War In t.docx
AlleneMcclendon878
 
Explain the fundamental reasons why brands do not exist in isolation.docx
Explain the fundamental reasons why brands do not exist in isolation.docxExplain the fundamental reasons why brands do not exist in isolation.docx
Explain the fundamental reasons why brands do not exist in isolation.docx
AlleneMcclendon878
 
Explain the difference between hypothetical and categorical imperati.docx
Explain the difference between hypothetical and categorical imperati.docxExplain the difference between hypothetical and categorical imperati.docx
Explain the difference between hypothetical and categorical imperati.docx
AlleneMcclendon878
 
Explain in 100 words provide exampleThe capital budgeting decisi.docx
Explain in 100 words provide exampleThe capital budgeting decisi.docxExplain in 100 words provide exampleThe capital budgeting decisi.docx
Explain in 100 words provide exampleThe capital budgeting decisi.docx
AlleneMcclendon878
 

Recommended

Explain in your own words why it is important to read a statistical .docx
Explain in your own words why it is important to read a statistical .docxExplain in your own words why it is important to read a statistical .docx
Explain in your own words why it is important to read a statistical .docx
AlleneMcclendon878
 
Explain how Matthew editedchanged Marks Gospel for each of the fol.docx
Explain how Matthew editedchanged Marks Gospel for each of the fol.docxExplain how Matthew editedchanged Marks Gospel for each of the fol.docx
Explain how Matthew editedchanged Marks Gospel for each of the fol.docx
AlleneMcclendon878
 
Explain the degree to which media portrayal of crime relates to publ.docx
Explain the degree to which media portrayal of crime relates to publ.docxExplain the degree to which media portrayal of crime relates to publ.docx
Explain the degree to which media portrayal of crime relates to publ.docx
AlleneMcclendon878
 
Explain the difference between genotype and phenotype. Give an examp.docx
Explain the difference between genotype and phenotype. Give an examp.docxExplain the difference between genotype and phenotype. Give an examp.docx
Explain the difference between genotype and phenotype. Give an examp.docx
AlleneMcclendon878
 
Explain the history behind the Black Soldier of the Civil War In t.docx
Explain the history behind the Black Soldier of the Civil War In t.docxExplain the history behind the Black Soldier of the Civil War In t.docx
Explain the history behind the Black Soldier of the Civil War In t.docx
AlleneMcclendon878
 
Explain the fundamental reasons why brands do not exist in isolation.docx
Explain the fundamental reasons why brands do not exist in isolation.docxExplain the fundamental reasons why brands do not exist in isolation.docx
Explain the fundamental reasons why brands do not exist in isolation.docx
AlleneMcclendon878
 
Explain the difference between hypothetical and categorical imperati.docx
Explain the difference between hypothetical and categorical imperati.docxExplain the difference between hypothetical and categorical imperati.docx
Explain the difference between hypothetical and categorical imperati.docx
AlleneMcclendon878
 
Explain in 100 words provide exampleThe capital budgeting decisi.docx
Explain in 100 words provide exampleThe capital budgeting decisi.docxExplain in 100 words provide exampleThe capital budgeting decisi.docx
Explain in 100 words provide exampleThe capital budgeting decisi.docx
AlleneMcclendon878
 
Explain how Supreme Court decisions influenced the evolution of the .docx
Explain how Supreme Court decisions influenced the evolution of the .docxExplain how Supreme Court decisions influenced the evolution of the .docx
Explain how Supreme Court decisions influenced the evolution of the .docx
AlleneMcclendon878
 
Explain how an offender is classified according to risk when he or s.docx
Explain how an offender is classified according to risk when he or s.docxExplain how an offender is classified according to risk when he or s.docx
Explain how an offender is classified according to risk when he or s.docx
AlleneMcclendon878
 
Explain a lesson plan. Describe the different types of information.docx
Explain a lesson plan. Describe the different types of information.docxExplain a lesson plan. Describe the different types of information.docx
Explain a lesson plan. Describe the different types of information.docx
AlleneMcclendon878
 
explain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docxexplain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docx
AlleneMcclendon878
 
Explain the basics of inspirational and emotion-provoking communicat.docx
Explain the basics of inspirational and emotion-provoking communicat.docxExplain the basics of inspirational and emotion-provoking communicat.docx
Explain the basics of inspirational and emotion-provoking communicat.docx
AlleneMcclendon878
 
Explain how leaders develop through self-awareness and self-discipli.docx
Explain how leaders develop through self-awareness and self-discipli.docxExplain how leaders develop through self-awareness and self-discipli.docx
Explain how leaders develop through self-awareness and self-discipli.docx
AlleneMcclendon878
 
Explain five ways that you can maintain professionalism in the meeti.docx
Explain five ways that you can maintain professionalism in the meeti.docxExplain five ways that you can maintain professionalism in the meeti.docx
Explain five ways that you can maintain professionalism in the meeti.docx
AlleneMcclendon878
 
Explain security awareness and its importance.Your response should.docx
Explain security awareness and its importance.Your response should.docxExplain security awareness and its importance.Your response should.docx
Explain security awareness and its importance.Your response should.docx
AlleneMcclendon878
 
Experimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docxExperimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docx
AlleneMcclendon878
 
Expand your website plan.Select at least three interactive fea.docx
Expand your website plan.Select at least three interactive fea.docxExpand your website plan.Select at least three interactive fea.docx
Expand your website plan.Select at least three interactive fea.docx
AlleneMcclendon878
 
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docxExercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
AlleneMcclendon878
 
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docxExercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
AlleneMcclendon878
 
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docxEXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
AlleneMcclendon878
 
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docxExercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
AlleneMcclendon878
 
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docxExercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
AlleneMcclendon878
 
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docxExercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
AlleneMcclendon878
 
Executive Pay Please respond to the followingSome evidence .docx
Executive Pay Please respond to the followingSome evidence .docxExecutive Pay Please respond to the followingSome evidence .docx
Executive Pay Please respond to the followingSome evidence .docx
AlleneMcclendon878
 
Excel homework about Finance, my professor ask me to finish a excel .docx
Excel homework about Finance, my professor ask me to finish a excel .docxExcel homework about Finance, my professor ask me to finish a excel .docx
Excel homework about Finance, my professor ask me to finish a excel .docx
AlleneMcclendon878
 
Exercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docxExercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docx
AlleneMcclendon878
 
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docxEXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
AlleneMcclendon878
 

More Related Content

More from AlleneMcclendon878

explain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docxexplain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docx
AlleneMcclendon878
 
Experimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docxExperimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docx
AlleneMcclendon878
 
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docxExercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
AlleneMcclendon878
 
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docxExercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
AlleneMcclendon878
 
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docxEXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
AlleneMcclendon878
 
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docxExercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
AlleneMcclendon878
 
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docxExercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
AlleneMcclendon878
 
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docxExercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
AlleneMcclendon878
 
Exercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docxExercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docx
AlleneMcclendon878
 
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docxEXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
AlleneMcclendon878
 

More from AlleneMcclendon878 (20)

Explain how Supreme Court decisions influenced the evolution of the .docx
Explain how Supreme Court decisions influenced the evolution of the .docxExplain how Supreme Court decisions influenced the evolution of the .docx
Explain how Supreme Court decisions influenced the evolution of the .docx
 
Explain how an offender is classified according to risk when he or s.docx
Explain how an offender is classified according to risk when he or s.docxExplain how an offender is classified according to risk when he or s.docx
Explain how an offender is classified according to risk when he or s.docx
 
Explain a lesson plan. Describe the different types of information.docx
Explain a lesson plan. Describe the different types of information.docxExplain a lesson plan. Describe the different types of information.docx
Explain a lesson plan. Describe the different types of information.docx
 
explain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docxexplain the different roles of basic and applied researchdescribe .docx
explain the different roles of basic and applied researchdescribe .docx
 
Explain the basics of inspirational and emotion-provoking communicat.docx
Explain the basics of inspirational and emotion-provoking communicat.docxExplain the basics of inspirational and emotion-provoking communicat.docx
Explain the basics of inspirational and emotion-provoking communicat.docx
 
Explain how leaders develop through self-awareness and self-discipli.docx
Explain how leaders develop through self-awareness and self-discipli.docxExplain how leaders develop through self-awareness and self-discipli.docx
Explain how leaders develop through self-awareness and self-discipli.docx
 
Explain five ways that you can maintain professionalism in the meeti.docx
Explain five ways that you can maintain professionalism in the meeti.docxExplain five ways that you can maintain professionalism in the meeti.docx
Explain five ways that you can maintain professionalism in the meeti.docx
 
Explain security awareness and its importance.Your response should.docx
Explain security awareness and its importance.Your response should.docxExplain security awareness and its importance.Your response should.docx
Explain security awareness and its importance.Your response should.docx
 
Experimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docxExperimental Design AssignmentYou were given an Aedesaegyp.docx
Experimental Design AssignmentYou were given an Aedesaegyp.docx
 
Expand your website plan.Select at least three interactive fea.docx
Expand your website plan.Select at least three interactive fea.docxExpand your website plan.Select at least three interactive fea.docx
Expand your website plan.Select at least three interactive fea.docx
 
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docxExercise 7 Use el pronombre y la forma correcta del verbo._.docx
Exercise 7 Use el pronombre y la forma correcta del verbo._.docx
 
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docxExercise 21-8 (Part Level Submission)The following facts pertain.docx
Exercise 21-8 (Part Level Submission)The following facts pertain.docx
 
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docxEXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
EXERCISE 9.4 Using Structured Interview Questions from the GSS .docx
 
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docxExercise 29Calculating Simple Linear RegressionSimple linear reg.docx
Exercise 29Calculating Simple Linear RegressionSimple linear reg.docx
 
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docxExercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
Exercise 19-8 (Part Level Submission)Wildhorse Company has the f.docx
 
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docxExercise 14Understanding Simple Linear RegressionStatistical Tec.docx
Exercise 14Understanding Simple Linear RegressionStatistical Tec.docx
 
Executive Pay Please respond to the followingSome evidence .docx
Executive Pay Please respond to the followingSome evidence .docxExecutive Pay Please respond to the followingSome evidence .docx
Executive Pay Please respond to the followingSome evidence .docx
 
Excel homework about Finance, my professor ask me to finish a excel .docx
Excel homework about Finance, my professor ask me to finish a excel .docxExcel homework about Finance, my professor ask me to finish a excel .docx
Excel homework about Finance, my professor ask me to finish a excel .docx
 
Exercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docxExercise University CultureThe purpose of this exercise is to e.docx
Exercise University CultureThe purpose of this exercise is to e.docx
 
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docxEXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
EXERCISE 27I WILL SEND THE DATA TO WHOM EVER WILL DO THE ASSIGNMEN.docx
 

Conducting a Risk Assessment of an Access Control System (3e)

  • 1. Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Introduction No access control system is perfect. The reality of operating any complex technical system is that it will always have deficiencies that could risk the organization. In the grander scheme of things, those risks are just a few of the many risks that the organization balances on a daily basis. Risk assessments provide a mechanism for organizations to identify and evaluate risks they face and develop a prioritized list of actions they may take to reduce those risks to an acceptable level. Cybersecurity professionals often find themselves responsible for conducting risk assessments using industry standards. These standards may come as sets of best practices from industry organizations or, commonly, as regulatory requirements imposed by governments or self-regulatory bodies. Security professionals conducting assessments against these standards will normally review the standard and compare it with the security controls currently in place. This produces a gap analysis that identifies areas in which the organization deviates from the requirement. Security professionals then develop a prioritized set of remediation activities that mitigate those risks to an acceptable level. It is very
  • 2. important to prioritize that list, as there are often far too many risks to address all of them and the organization should spend its limited resources addressing those that pose the most significant risk. When encountering risks, organizations have four different options for handling the risk: Risk mitigation includes activities designed to reduce the likelihood or impact of a risk. Risk avoidance changes business practices to render a risk irrelevant. Risk transference moves the impact of the risk to another organization. Risk acceptance decides to continue operations as normal despite the risk. In this lab, you will learn about the risk assessment process for access control systems. After reviewing the requirements of two regulatory standards covering access control systems, you will review a scenario and conduct a risk assessment of the access control system in that scenario. You will then design a set of remediation activities that would address those risks. Lab Overview This lab has two parts, which should be completed in the order specified. 1. In the first part of the lab, you will explore two different risk-assessment models that may be
  • 3. applied to access control systems. Page 1 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 2. In the second part of the lab, you will apply one of those models to conduct a compliance risk assessment of an access control system. You will then identify actions that you can take to remediate any deficiencies identified during your risk assessment. Finally, if assigned by your instructor, you will complete a series of challenge exercises that allow you to use the skills you learned in the lab to conduct independent, unguided work - similar to what you will encounter in a real-world situation. Learning Objectives Upon completing this lab, you will be able to: 1. Explain the risk assessment process. 2. Describe the differences between the levels of specification in the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act
  • 4. (HIPAA) Security Rule. 3. Given a scenario, identify risks in an access control system. 4. Given a scenario, design remediation activities to mitigate risks. Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor: Comparison of the PCI DSS and HIPAA access control requirements Listing of five control gaps Listing of five remediation strategies Challenge Exercise (if assigned) Page 2 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Guided Exercises Note: In this section of the lab, you will follow a step-by-step walk-through of the objectives for this lab to produce the expected deliverable(s). 1. Review the Common Lab Tasks for Theory Labs document.
  • 5. Frequently performed tasks, such as recording your answers and downloading your Lab Report, are explained in the Common Lab Tasks for Theory Labs document. You should review these tasks before starting the lab. 2. Proceed with Part 1. Part 1: Research Risk Assessment Standards Note: In this part of the lab, you will review the access control requirements created by two different regulatory standards. The Payment Card Industry Data Security Standard (PCI DSS) is a self- regulatory standard imposed upon all businesses involved in the processing of credit card transactions. It contains over 10 pages of detailed requirements for access control systems. The HIPAA Security Rule is a higher-level standard that provides implementation guidance for securing systems that process electronic protected health information. 1. In your browser, navigate to https://www.pcisecuritystandards.org/ and retrieve a copy of the current version of the Payment Card Industry Data Security Standard (PCI DSS) from the website’s document library. PCI DSS is a regulatory framework for organizations involved in the storage, processing, and transmission of credit card information. The standard is quite lengthy and covers many aspects of cybersecurity. The 12 major requirements in this standard are often described as the “Digital Dozen” of credit card security.
  • 6. 2. Review the “Implement Strong Access Control Measures” section of the PCI DSS document. This section includes three requirements, each of which has several pages of detail: Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Identify and authenticate access to system components. Page 3 of 7 https://jbl-lti.hatsize.com/uploads/Common-Lab-Tasks-for- Theory-Labs.pdf https://www.pcisecuritystandards.org/ Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Requirement 9: Restrict physical access to cardholder data. 3. In your browser, navigate to https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/admini strative/combined/hipaa- simplification-201303.pdf and review Section 164.312 of the HIPAA Security Rule on pages 66-67. This section provides the technical safeguards required for operating a HIPAA-compliant system, including the standards for access control.
  • 7. 4. Compare the requirements for access control systems in the PCI DSS to those in the HIPAA Security Rule. Describe the level of detail found in each standard and how each standard might be easier and more challenging to meet compared with the other. Part 2: Conduct a Risk Assessment Note: In this part of the lab, you will review an access control system against the PCI DSS risk assessment framework. Your task is to identify any gaps that might exist between the existing system and the requirements in the standard. You are the security administrator for Ricky’s Fried Chicken, a franchised fried chicken restaurant. The restaurant accepts credit cards and, as such, is subject to the provisions of PCI DSS. You are conducting a risk assessment of the point-of-sale (POS) system used by the chain against the access control provisions of PCI DSS. The POS uses the architecture shown below: Page 4 of 7 Highlight Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab
  • 8. 02 POS Architecture The links between the data center and the stores are all over strongly encrypted VPN connections. Currently, each cashier has the ability to log on to the POS system at any store. Managers have the ability to log on to the POS systems, as well as the back-end servers. Cashiers use generic “cashier1,” “cashier2,” and “cashier3” accounts while managers each have personal accounts. All users log on using a strong password. The organization has the following password requirements: Passwords must be at least eight characters long and must be changed every 180 days. Users are locked out for one hour after 10 unsuccessful login attempts. Users are logged out after 10 minutes of inactivity. The organization has written cardholder security policies and managers and IT staff review them on an annual basis, signing logs to document their review. IT staff conduct a semiannual review to remove Page 5 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab
  • 9. 02 the accounts of any managers who have left the organization. 1. Conduct a risk analysis of this environment using the version of PCI DSS that you downloaded in Part 1 of this lab. Document at least five control gaps that exist in the environment. You may make assumptions about information not provided in this scenario, if necessary. 2. Identify controls that will mitigate each of the five deficiencies you identified in the previous step. Create a prioritized list of these actions. Page 6 of 7 Conducting a Risk Assessment of an Access Control System (3e) Access Control and Identity Management, Third Edition - Lab 02 Challenge Exercise Note: The following exercise is provided to allow independent, unguided work - similar to what you will encounter in a real situation. For this part of the lab, you should consider a technology system that you are familiar with from either your employment, academic institution, and/or personal life. Answer the following questions for the system:
  • 10. 1. What risk assessment standard would be the best approach for evaluating this system? Depending on the system, you may use one of the standards already discussed in this lab or identify an alternative standard more appropriate for your environment. Provide a brief description of the system, identify the standard that you used and describe why it is appropriate for the system. 2. Conduct a risk assessment of the system against those standards to the best of your ability. If you are not familiar with the detailed workings of the systems, you may make assumptions to facilitate your risk assessment. Create a list of the gaps that exist between the system and the standard you used. 3. Develop a prioritized list of risk mitigation activities which, if followed, would address the issues raised in your gap analysis from step 2. Powered by TCPDF (www.tcpdf.org) Page 7 of 7 http://www.tcpdf.org