Published on

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. OFFICIAL (ISC)2 GUIDE TO THE CISSP CBK SECOND E D I T I O N© 2010 by Taylor and Francis Group, LLC
  2. 2. 27+(5 %22.6 ,1 7+( ,6
  3. 3. Š 35(66 6(5,(6 2I¿FLDO ,6
  4. 4. Š *XLGH WR WKH ,663Š,66$3Š %.Š +DUROG ) 7LSWRQ (GLWRU ,6%1 2I¿FLDO ,6
  7. 7. Š *XLGH WR WKH $3Š %.Š 3DWULFN +RZDUG ,6%1 2I¿FLDO ,6
  8. 8. Š *XLGH WR WKH ,663Š,66(3Š %.Š 6XVDQ +DQVFKH ,6%1 ;© 2010 by Taylor and Francis Group, LLC
  9. 9. OFFICIAL (ISC) 2 GUIDE T O T H E CISSP® CBK SECOND E D I T I O N Edited by Harold F. Tipton, CISSP-ISSAP, ISSMP Contributors Paul Baker, Ph.D., CPP • Stephen Fried, CISSP Micki Krause, CISSP • Tyson Macaulay, CISSP G a r y M c l n t y r e , CISSP • Kelley O k o l i t a , M B C P Keith Pasley, CISSP • Marcus K. Rogers, Ph.D., CISSP Ken M. S h a u r e t t e , CISSP • R o b e r t M. Slade, CISSP (ISC) SECURITY TRANSCENDS TECHNOLOGY* (g) CRC Press Taylor Francis Group Boca Raton London New York CRC Press is an imprint of the Taylor Francis Group, an informa business AN AUERBACH BOOK© 2010 by Taylor and Francis Group, LLC
  10. 10. Auerbach PublicationsTaylor Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742© 2010 by Taylor and Francis Group, LLCAuerbach Publications is an imprint of Taylor Francis Group, an Informa businessNo claim to original U.S. Government worksPrinted in the United States of America on acid-free paper10 9 8 7 6 5 4 3 2 1International Standard Book Number: 978-1-4398-0959-4 (Hardback)This book contains information obtained from authentic and highly regarded sources. Reasonable effortshave been made to publish reliable data and information, but the author and publisher cannot assumeresponsibility for the validity of all materials or the consequences of their use. The authors and publishershave attempted to trace the copyright holders of all material reproduced in this publication and apologize tocopyright holders if permission to publish in this form has not been obtained. If any copyright material hasnot been acknowledged please write and let us know so we may rectify in any future reprint.Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,including photocopying, microfilming, and recording, or in any information storage or retrieval system,without written permission from the publishers.For permission to photocopy or use material electronically from this work, please access ( or contact the Copyright Clearance Center, Inc. (CCC), 222 RosewoodDrive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses andregistration for a variety of users. For organizations that have been granted a photocopy license by the CCC,a separate system of payment has been arranged.Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are usedonly for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Official (ISC)2 guide to the CISSP CBK / edited by Harold F. Tipton. -- 2nd ed. p. cm. Includes bibliographical references and index. ISBN 978-1-4398-0959-4 1. Electronic data processing personnel--Certification. 2. Computer security--Examinations--Study guides. 3. Computer networks--Examinations--Study guides. I. Tipton, Harold F. II. Title. QA76.3.T565 2009 005.8--dc22 2009024445Visit the Taylor Francis Web site athttp://www.taylorandfrancis.comand the Auerbach Web site at © 2010 by Taylor and Francis Group, LLC
  11. 11. ContentsForeword .......................................................................................................viiIntroduction ...................................................................................................xiEditor ..........................................................................................................xviiContributors .................................................................................................xix 1 Access Control ........................................................................................1 JAMES S. TILLER, CISSP; REVISED BY STEPHEN FRIED, CISSP 2 Application Security ...........................................................................157 ROBERT M. SLADE, CISSP 3 Business Continuity and Disaster Recovery Planning .......................261 KELLEY OKOLITA, MBCP 4 Cryptography .....................................................................................309 KEVIN HENRY, CISSP; REVISED BY KEITH PASLEY, CISSP, CISA, ITIL, GSNA 5 Information Security Governance and Risk Management .................401 TODD FITZGERALD, CISSP, BONNIE GOINS, CISSP, AND REBECCA HEROLD, CISSP; REVISED BY KEN M. SHAURETTE, CISSP 6 Legal, Regulations, Investigations, and Compliance .........................503 MARCUS K. ROGERS, PH.D., CISSP, CCCI-ADVANCED 7 Operations Security............................................................................539 GARY MCINTYRE, CISSP 8 Physical and Environmental Security ................................................579 PAUL BAKER, PH.D., CPP 9 Security Architecture and Design ......................................................667 GARY MCINTYRE, CISSP AND MICKI KRAUSE, CISSP v© 2010 by Taylor and Francis Group, LLC
  12. 12. vi ◾ Contents10 Telecommunications and Network Security ......................................731 ALEC BASS, CISSP AND PETER BERLICH, CISSP-ISSMP; REVISED BY TYSON MACAULAY, CISSPAppendix Answers to Practice Questions.................................................853© 2010 by Taylor and Francis Group, LLC
  13. 13. ForewordForeword to CBK Study Guide 2009In today’s connected world, business, government, and consumers all want the abilityto access information, communicate, and execute transactions immediately withthe assurance of real-world security. However, every advance in connectivity andconvenience also brings new threats to privacy and security in the global virtualenvironment. That’s why information security has become critical to mitigatingrisks that can destroy a company’s reputation, violate a consumer’s privacy, compromiseintellectual property, and, in some cases, endanger lives. Most organizations now understand that technology alone cannot secure theirdata. In ever-increasing numbers, they are seeking seasoned professionals who cancreate and implement a comprehensive information security program, obtain sup-port and funding for the program, and make every employee a security-consciouscitizen, all while meeting necessary regulatory standards. Educating and certifying the knowledge and experience of informationsecurity professionals has been the mission of the International InformationSystems Security Certification Consortium [(ISC)2] since its inception. Formedin 1989 by multiple IT associations to develop an accepted industry standardfor the practice of information security, (ISC)2 created the fi rst and only CBK,a continuously updated compendium of knowledge areas critical to being a pro-fessional. (ISC)2 has certified security professionals and practitioners in morethan 130 countries across the globe. It is the largest body of information securityprofessionals in the world. Information security only continues to grow in size and significance and hasbecome a business imperative for organizations of all sizes. With the increasingimportance of security, educated, qualified, and experienced information securityprofessionals are viewed as the answer to an organization’s security challenges. Responsibilities are increasing as well—information security professionals areunder increasing pressure to secure not only the perimeter of the organization, butall the data and systems within the organization. Whether researching new tech-nologies or implementing information risk management initiatives, information vii© 2010 by Taylor and Francis Group, LLC
  14. 14. viii ◾ Forewordsecurity professionals are being held to even more stringent standards than everbefore and the need for specialized training continues to increase. To ensure that professionals meet these high standards, (ISC)2 offers a suite ofinformation security education materials, certifications, and concentrations thatcover each discipline within the information security field, whether it is planning,design, execution, or management. Although requirements vary from certification to certification, such as minimumnumber of years of relevant work experience and areas of domain knowledge,all candidates applying for (ISC)2 certifications must pass a rigorous exam, beendorsed by a current (ISC)2 credential holder (member), adhere to the (ISC)2 Codeof Ethics, and obtain annual continuing professional education credits to maintaincertification. (ISC)2’s certifications are vendor-neutral, which means they are not tied to aspecific vendor or product, but instead encompass a broad scope of knowledge.These certifications provide organizations with the assurance that its staff has beentested on understanding industry best practices, possessing a broad knowledge ofthe field, and demonstrating sound professional judgment. (ISC)2’s core credentials are accredited by the International Organizationfor Standardizations (ISO) United States representative, the American NationalStandards Institute (ANSI) under ANSI/ISO/IEC Standard 17024, a nationaland global benchmark for the certification of personnel. In fact, the CertifiedInformation Systems Security Professional (CISSP) certification was the firsttechnology-related credential to earn such accreditation, making it the GoldStandard within the information security industry. The CISSP is an invaluabletool that independently validates a candidate’s expertise in developing informationsecurity policies, standards, and procedures as well as managing implementationacross the enterprise. The Official (ISC)2 Guide to the CISSP CBK is the only document that addressesall of the topics and subtopics contained in the CISSP CBK. The authors and edi-tor of this new, comprehensive edition have provided an extensive supplement tothe CBK review seminars that are designed to help candidates prepare for CISSPcertification. Earning your CISSP is a deserving achievement and makes you a member of anelite network of professionals that enjoy such benefits as access to leading industry con-ference registrations worldwide, access to a Career Center with current job listings,subscription to (ISC)2’s members-only digital magazine—InfoSecurity Professional, a“live” help desk to address your questions and issues, and much more. You will alsobe a member of a highly respected organization that is constantly working to raisethe profile of the profession through community goodwill programs such as children’ssecurity awareness programs, an information security career guide for high-school© 2010 by Taylor and Francis Group, LLC
  15. 15. Foreword ◾ ixand college-aged students, and academic scholarships for students researching newtechniques and theories in the field. We wish you success in your journey to becoming a CISSP. W. Hord Tipton International Information System Security Certification Consortium, Inc.© 2010 by Taylor and Francis Group, LLC
  16. 16. IntroductionIntroduction to the Official (ISC)2Guide to the CISSP CBK TextbookThis marks the second edition of the Official Guide to the CISSP CBK and includesmany important updates and revisions. Recognized as one of the best tools availableto the information security professional, and especially to the candidate studyingfor the (ISC)2 CISSP examination, this edition reflects the latest developments inthe ever-changing and exciting field of information security, and the most up-to-datereview of the CBK available. (ISC)2 has a long history of educating and certifying information securityprofessionals, from its first days as a volunteer organization defining the scope ofinformation security, to its current position as the global leader in information secu-rity. As every modern organization and government depends on stable and securesystems, the relevance and importance of a highly skilled and educated workforcebecomes more and more critical. For this reason, (ISC)2 is pleased to bring youanother great tool in your arsenal that is sure to assist in your daily responsibilitiesand long-term objectives. Information security professionals are key elements in securing, stabilizing,and advancing the mission of the business they support, regardless of whetherthat business is a commercial enterprise, a military organization, or a government.Information security plays a leading role in allowing an organization to leveragethe benefits of new technologies and venture into new lines of business. Long goneare the days of information security being an obstacle to business and locked intoa narrow focus on technology and restrictive procedures. The information securityprofessional must be a business manager first and seek out the creative and cost-effectivemeasures needed to identify and address risks, ensure business continuity, and meetlegal requirements. To write this valuable reference, skilled authors, who are experts in their field,were chosen to contribute to, and update the various chapters as well as share theirpassion for their areas of expertise. This book is an authoritative reference thatcan be used to gain a solid understanding of the CISSP CBK and as a valuable xi© 2010 by Taylor and Francis Group, LLC
  17. 17. xii ◾ Introductionreference, holding a prominent position on every information security profession-al’s bookshelf. The (ISC)2 CISSP CBK is a taxonomy—a collection of topics relevant to infor-mation security professionals around the world. The CISSP CBK establishes acommon framework of information security terms and principles that allow infor-mation security professionals around the world to discuss, debate, and resolve mat-ters pertaining to the profession through a common understanding and standardterminology. Understanding the CBK allows intelligent discussion with peers oninformation security issues. The CISSP CBK is continuously evolving. Every year the (ISC)2 CBK commit-tee reviews the content of the CBK and updates it with a consensus of best prac-tices from an in-depth job analysis survey of CISSPs around the world. These bestpractices may address implementing new technologies, dealing with new threats,incorporating new security tools, and, of course, managing the human factor ofsecurity. (ISC)2 also represents the changes and trends in the industry through theaward-winning CISSP CBK review seminars and educational programs. The following list represents the 10 current domains of the CBK and the high-leveltopics contained in each domain. A comprehensive list can be obtained by requestingthe Candidate Information Bulletin from the (ISC)2 Web site at ControlAccess control is the collection of mechanisms that permits managers of a sys-tem to exercise a directing or restraining influence over the behavior, use, andcontent of a system. It permits management to specify what users can do, whichresources they can access, and what operations they can perform on a system.The candidate should fully understand access control concepts, methodologies,and implementations within centralized and decentralized environments acrossthe enterprise’s computer systems. Access control techniques, and detective andcorrective measures should be studied to understand the potential risks, vulner-abilities, and exposures.Application Development SecurityApplication development security refers to the controls that are included withinsystem and application software and the steps used in their development.Applications refer to agents, applets, software, databases, data warehouses, andknowledge-based systems. These applications may be used in distributed or cen-tralized environments. The candidate should fully understand the security andcontrols of the systems development process, system life cycle, application con-trols, change controls, data warehousing, data mining, knowledge-based systems,program interfaces, and concepts used to ensure data and application integrity,security, and availability.© 2010 by Taylor and Francis Group, LLC
  18. 18. Introduction ◾ xiiiBusiness Continuity and Disaster Recovery PlanningThe business continuity and disaster recovery planning domain addresses the pres-ervation of the business in the face of major disruptions to normal business opera-tions. Business continuity plans (BCPs) and disaster recovery plans (DRPs) involvethe preparation, testing, and updating of specific actions to protect critical businessprocesses from the effect of major system and network failures. BCPs counteractinterruptions to business activities and should be available to protect critical businessprocesses from the effects of major failures or disasters. It deals with the natural andman-made events and the consequences if not dealt with promptly and effectively.DRPs contain procedures for emergency response, extended backup operation, andpost-disaster recovery should a computer installation experience a partial or totalloss of computer resources and physical facilities. The primary objective of the DRPis to provide the capability to process mission-essential applications, in a degradedmode, and return to normal mode of operation within a reasonable amount oftime. The candidate will be expected to know the difference between business con-tinuity planning and disaster recovery; business continuity planning in terms ofproject scope and planning, business impact analysis, recovery strategies, recoveryplan development, and implementation. The candidate should understand disasterrecovery in terms of recovery plan development, implementation, and restoration.CryptographyThe cryptography domain addresses the principles, means, and methods of disguisinginformation to ensure its integrity, confidentiality, and authenticity. The candidatewill be expected to know basic concepts within cryptography; public and private keyalgorithms in terms of their applications and uses; algorithm construction, key distri-bution and management, and methods of attack; and the applications, construction,and use of digital signatures to provide authenticity of electronic transactions, andnon-repudiation of the parties involved.Information Security Governance and Risk ManagementInformation security governance and risk management entails the identificationof an organization’s information assets and the development, documentation, andimplementation of policies, standards, procedures, and guidelines that ensure con-fidentiality, integrity, and availability. Management tools such as data classification,risk assessment, and risk analysis are used to identify the threats, classify assets, andto rate their vulnerabilities so that effective security controls can be implemented.Risk management is the identification, measurement, control, and minimizationof loss associated with uncertain events or risks. It includes overall security review,risk analysis, selection and evaluation of safeguards, cost–benefit analysis, manage-ment decision, safeguard implementation, and effectiveness review. The candidatewill be expected to understand the planning, organization, and roles of individuals© 2010 by Taylor and Francis Group, LLC
  19. 19. xiv ◾ Introductionin identifying and securing an organization’s information assets; the developmentand use of policies stating management’s views and position on particular topicsand the use of guidelines, standards, and procedures to support the policies; security-awareness training to make employees aware of the importance of informationsecurity, its significance, and the specific security-related requirements relative totheir position; the importance of confidentiality, proprietary, and private informa-tion; employment agreements; employee hiring and termination practices; and riskmanagement practices and tools to identify, rate, and reduce the risk to specificresources.Legal, Regulations, Compliance, and InvestigationsLegal, regulations, compliance, and investigations domain addresses computercrimelaws and regulations; the investigative measures and techniques that canbe used to determine if a crime has been committed, and methods to gatherevidence. Incident handling provides the ability to react quickly and efficientlyto malicious technical threats or incidents. The candidate will be expected toknow the methods for determining whether a computer crime has been com-mitted; the laws that would be applicable for the crime; laws prohibiting spe-cific types of computer crimes; methods to gather and preserve evidence of acomputer crime, and investigative methods and techniques; and ways to addresscompliance.Operations SecurityOperations security is used to identify the controls over hardware, media, and theoperators with access privileges to any of these resources. Audit and monitoringis the mechanisms, tools, and facilities that permit the identification of securityevents and subsequent actions to identify the key elements and report the pertinentinformation to the appropriate individual, group, or process. The candidate will beexpected to know the resources that must be protected, the privileges that must berestricted, the control mechanisms available, the potential for abuse of access, theappropriate controls, and the principles of good practice.Physical (Environmental) SecurityThe physical (environmental) security domain addresses the threats, vulnerabilities,and countermeasures that can be utilized to physically protect an enterprise’s resourcesand sensitive information. These resources include people, the facility in which theywork, and the data, equipment, support systems, media, and supplies they utilize. Thecandidate will be expected to know the elements involved in choosing a secure site, itsdesign and configuration, and the methods for securing the facility against unauthor-ized access, theft of equipment and information, and the environmental and safetymeasures needed to protect people, the facility, and its resources.© 2010 by Taylor and Francis Group, LLC
  20. 20. Introduction ◾ xvSecurity Architecture and DesignThe security architecture and design domain contains the concepts, principles,structures, and standards used to design, implement, monitor, and secure operat-ing systems, equipment, networks, applications, and those controls used to enforcevarious levels of confidentiality, integrity, and availability. The candidate shouldunderstand security models in terms of confidentiality, integrity, information flow;system models in terms of the common criteria; technical platforms in terms of hardware,firmware, and software; and system security techniques in terms of preventive,detective, and corrective controls.Telecommunications and Network SecurityThe telecommunications and network security domain encompasses the structures,transmission methods, transport formats, and security measures used to provideintegrity, availability, authentication, and confidentiality for transmissions over pri-vate and public communication networks and media. The candidate is expectedto demonstrate an understanding of communications and network security as itrelates to voice communications; data communications in terms of local area, widearea, and remote access; Internet/intranet/extranet in terms of firewalls, routers,and TCP/IP; and communications security management and techniques in termsof preventive, detective, and corrective measures. In today’s global marketplace, theability to communicate with others is a mandatory requirement.This textbook has been developed to help information security professionals whowant to better understand the knowledge requirements of their professions andhave that knowledge validated by the CISSP certification. Since few professionalshave significant work experience in all 10 domains, the authors highly recommendattending a CBK review seminar to identify those areas where more concentratedstudy is necessary. This textbook and the CBK review seminar complement eachother perfectly in providing a multi-vectored approach to learning and understandingthe breadth of this ever-changing field. This composition required a tremendous amount of work from the authors, theeditors, and the printing firm. We extend our heartfelt thanks to each one of them,along with a very appreciative compliment for a task well done. Enjoy your studying, and may the experience of preparing for the examinationand the exploring of all the many facets of this industry continue to ignite yourpassion and satisfaction in working in the field of information security.© 2010 by Taylor and Francis Group, LLC
  21. 21. EditorHal Tipton, currently an independent consultant, was a past president of theInternational Information System Security Certification Consortium and a direc-tor of computer security for Rockwell International Corporation for about 15 years.He initiated the Rockwell computer and data security program in 1977 and thencontinued to administer, develop, enhance, and expand the program to accom-modate the control needs produced by technological advances until his retirementfrom Rockwell in 1994. Tipton has been a member of the Information Systems Security Association(ISSA) since 1982. He was the president of the Los Angeles Chapter in 1984, andthe president of the national organization of ISSA (1987–1989). He was added tothe ISSA Hall of Fame and the ISSA Honor Role in 2000. Tipton was a member of the National Institute for Standards and Technology(NIST), the Computer and Telecommunications Security Council, and the NationalResearch Council Secure Systems Study Committee (for the National Academy ofScience). He received his BS in engineering from the U.S. Naval Academy andhis MA in personnel administration from George Washington University; he alsoreceived his certificate in computer science from the University of California atIrvine. He is a certified information system security professional (CISSP), ISSAP, ISSMP.He has published several papers on information security issues for Auerbach Publishers—Handbook of Information Security Management Data Security Management Information Security Journal National Academy of Sciences—Computers at Risk Data Pro Reports Elsevier ISSA “Access” MagazineHe has been a speaker at all the major information security conferences includingthe following: Computer Security Institute, the ISSA Annual Working Conference, xvii© 2010 by Taylor and Francis Group, LLC
  22. 22. xviii ◾ Editorthe Computer Security Workshop, MIS Conferences, AIS Security for SpaceOperations, DOE Computer Security Conference, National Computer SecurityConference, IIA Security Conference, EDPAA, UCCEL Security Audit UsersConference, and Industrial Security Awareness Conference. He has conducted/participated in information security seminars for (ISC)2,Frost Sullivan, UCI, CSULB, System Exchange Seminars, and the Institute forInternational Research. He participated in the Ernst Young video “ProtectingInformation Assets.” He is currently serving as the editor of the Handbook ofInformation Security Management (Auerbach publications). He chairs the (ISC)2CBK Committees and the QA Committee. He received the Computer SecurityInstitute’s Lifetime Achievement Award in 1994 and the (ISC)2’s Hal Tipton Awardin 2001.© 2010 by Taylor and Francis Group, LLC
  23. 23. ContributorsPaul Baker, Ph.D, CPP, is a security manager with more than 30 years of exten-sive and comprehensive experience in all phases of law enforcement and industrialsecurity. He holds a doctorate in strategic leadership from Regent University alongwith a master of science in criminal justice from Troy University. Dr. Baker beganhis security management journey in the U.S. Marine Corps and continued as aMaryland State Trooper working extensively on narcotics and intelligence. Afterhis retirement in 2001, he embarked on the next phase of his security career, work-ing as a physical security supervisor for the MITRE Corporation in Washington,D.C. He is currently employed as a security manager for Capital One Bank.Dr. Baker has been involved in numerous security assessment projects and hasdesigned complete physical protection systems for a multitude of facilities.Alec Bass, CISSP, is a senior security specialist in the Boston area. During his 25year career, Alec has developed solutions that significantly reduce risk to the digi-tal assets of high-profile manufacturing, communications, home entertainment,financial, research, and federal organizations. He has helped enterprises enhancetheir network’s security posture, performed penetration testing, and administeredclient firewalls for an application service provider. Before devoting his career to information security, Alec supported the IT infra-structure for a multinational Fortune 200 company and fi xed operating systembugs for a leading computer firm.Peter Berlich, CISSP-ISSMP, is working as an IT security manager on a largeoutsourcing account at IBM Integrated Technology Services, coming from a pro-gression of IT security- and compliance-related roles in IBM. Before joining IBM,he was global information security manager at ABB, after a succession of technicaland project management roles with a focus on network security management. Peteris a member of the (ISC)2 European Advisory Board and the Information SecurityForum Council. He is the author of various articles on the subject of security andprivacy management in publications such as Infosecurity Today. xix© 2010 by Taylor and Francis Group, LLC
  24. 24. xx ◾ ContributorsTodd Fitzgerald, CISSP, CISA, CISM, is the director of information systems secu-rity and a systems security officer for United Government Services, LLC (UGS),Milwaukee, Wisconsin. Todd has written articles on information security forpublications such as The Information Security Management Handbook, The HIPAAProgram Reference Book, Managing an Information Security and Privacy Awarenessand Training Program (Auerbach Publications) and magazines such as InformationSecurity. Todd is frequently called upon to present at national and local confer-ences, and has received several security industry leadership awards.Stephen Fried, CISSP, CISM, is a seasoned information security professional withover 25 years experience in information technology. For the last 12 years, Stephenhas concentrated his efforts on providing effective information security leadershipto large organizations. Stephen has led the creation of security programs for twoFortune 500 companies and has an extensive background in such diverse securityissues as risk assessment and management, security policy development, securityarchitecture, infrastructure and perimeter security design, outsource relationshipsecurity, offshore development, intellectual property protection, security technol-ogy development, business continuity, secure e-business design, and informationtechnology auditing. A frequent speaker at conferences, Stephen is also active inmany security industry organizations. He is a contributing author to the InformationSecurity Management Handbook, and has also been quoted in magazines such asSecure Enterprise and CIO Decisions.Bonnie A. Goins, CISSP, NSA IAM, GIAC, CISM, ISS, PCI QSA, is a nationallyrecognized subject matter expert in information security management. With over17 years of experience in management consulting, and information technology andsecurity, Bonnie is chosen by executive management for her depth of knowledgeand experience in information technology and security strategy development andrefinement; risk and security assessment methods; security program design, devel-opment, and implementation; regulatory compliance initiatives, such as HIPAA,Sarbanes–Oxley, PCI, GLBA, NERC/FERC, FISMA, and others; policy, proce-dure, and plan creation; technology and business process reengineering; securenetwork infrastructure design and implementation; business continuity and inci-dent response initiatives; application security methods; and security/technology/regulatory training. Her experience extends over multiple verticals and includeshealthcare, financial services, government, utilities, retail, higher education, tele-communications, manufacturing, public health, pharmaceuticals/biotech, andmanufacturing.Kevin Henry, CISSP-ISSEP, ISSMP, CAP, SSCP, is a well-known speaker and con-sultant in the field of information security and business continuity planning. Heprovides educational and consulting services to organizations throughout the worldand is an official instructor for (ISC)2. He is responsible for course development and© 2010 by Taylor and Francis Group, LLC
  25. 25. Contributors ◾ xxidelivery for several (ISC)2 programs. Kevin has a broad range of experience in bothtechnology and management of information technology and information securityprograms. He has worked for clients ranging from the largest telecommunicationsfirms in the world to governments, military, and small home-based operations. Heis a highly respected presenter at conferences, seminars, and educational programsworldwide. With over 20 years of telecommunications and government experience,he brings a relevant and interesting approach to information security and providespractical and meaningful solutions to the information security challenges, threats,and regulations we face today.Rebecca Herold, CISSP, CISM, CISA, FLMI, is an information privacy, security,and compliance consultant, author, and instructor with over 16 years of experienceassisting organizations of all sizes in all industries throughout the world. Rebeccahas written numerous books, including Managing an Information Security andPrivacy Awareness and Training Program (Auerbach Publications) and The PrivacyManagement Toolkit (Information Shield), along with dozens of book chapters andhundreds of published articles. Rebecca speaks often at conferences, and developsand teaches workshops for the Computer Security Institute. Rebecca is a residenteditor for the IT Compliance Community and also an adjunct professor for theNorwich University master of science in information assurance program.Micki Krause, CISSP, has held positions in the information security profession forthe last 20 years. She is currently the chief information security officer at PacificLife Insurance Company in Newport Beach, California. Micki has held severalleadership roles in industry-influential groups including the ISSA and the (ISC)2and is a long-term advocate for professional security education and certification. In2003, Krause received industry recognition as a recipient of the “Women of Vision”award given by Information Security magazine. In 2002, Krause was honored asthe second recipient of the Harold F. Tipton Award in recognition of sustainedcareer excellence and outstanding contributions to the profession. She is a reputedspeaker, published author, and coeditor of the Information Security ManagementHandbook series.Tyson Macaulay, the security liaison officer for Bell Canada, is responsible fortechnical and operational risk management solutions for Bell’s largest enterpriseclients. Tyson leads security initiatives addressing large, complex, technology solu-tions including physical and logical (IT) assets, and regulatory/legal compliancerequirements. In this role, he leads worldwide engagements involving multinationalcompanies and international governments. Tyson’s leadership encompasses a broadrange of industry sectors from the defense industry to high-tech start-ups. Hisexpertise includes large-scale security implementations in both public and privatesector institutions, working on projects from conception through development toimplementation. Tyson is a respected thought leader with publications dating from© 2010 by Taylor and Francis Group, LLC
  26. 26. xxii ◾ Contributors1993. His work has covered authorship of peer-reviewed white papers, IT securitygovernance programs, technical and integration services, and incident managementprocesses.Kelley Okolita, MBCP, is currently the program manager for business continu-ity and disaster recovery for the Hanover Insurance Group. Widely recognizedas an industry expert with more than 25 years experience, Kelley developed andimplemented programs that were put to the test and proved successful for a vari-ety of recoveries both large and small including from the events of September 11,2001 and Hurricane Katrina. Kelley is sought after as a speaker and subject-matterexpert by organizations such as Gartner, Sungard, and IBM. She has publishedarticles in professional magazines and journals and was selected by (ISC)2 to be theexpert to rewrite Chapter 3 for their CISSP study guide and ISSAP study guide.Kelley has had a 10-year affiliation with DRI International (DRII)—six years onthe Certification Commission for DRII, two as a chair and two as a member oftheir board of directors. She continues to serve on various committees. She is alsoan alternate on the NFPA 1600 Technical Committee. She has spoken at confer-ences from North America to Australia to Singapore and is currently completingher book on enterprise-wide business continuity planning, which is to be publishedby Taylor Francis.Keith Pasley, CISSP, CISA, ITIL, GSNA, is an information security professionalspecializing in helping companies understand information security requirements,regulatory compliance to help maximize security technology to reduce costs andcomplexity. Keith has over 20 years of hands-on experience in the information tech-nology industry, and has spent the last 13 years specializing in information security. In various roles, Keith has designed security architectures and implementedsecurity strategies for government, education, and commercial sectors. Keith is asecurity researcher and a contributing author to such publications as the InformationSecurity Management Handbook and the HIPAA Program Reference (both publishedby Auerbach Publications). Keith has also published online and in-print articles onvarious security-related subjects.Marcus K. Rogers, Ph.D, CISSP, CCCI, is the director of the Cyber ForensicsProgram in the Department of Computer and Information Technology at PurdueUniversity. He is a professor, a faculty scholar, and a research faculty member atthe Center for Education and Research in Information Assurance and Security.Dr. Rogers is a member of the quality assurance board for (ISC)2’s SCCP designa-tion; the international chair of the Law, Regulations, Compliance and InvestigationDomain of the Common Body of Knowledge (CBK) committee; the chair of theEthics Committee Digital Multimedia Sciences Section—American Academy ofForensic Sciences; and the chair of the Certification Committee Digital ForensicsCertification Board. Dr. Rogers is the editor in chief of the Journal of Digital© 2010 by Taylor and Francis Group, LLC
  27. 27. Contributors ◾ xxiiiForensic Practice and serves on the editorial board of several other professional jour-nals. He is the author of numerous book chapters and journal publications in thefield of digital forensics and applied psychological analysis.Ken M. Shaurette, CISSP, CISA, CISM, is an experienced security and audit pro-fessional with a strong understanding of complex computing environments, legisla-tive and regulatory requirements, and security solutions. He is a founding memberand a past president of the Western Wisconsin InfraGard Chapter; a past presidentof ISSA-Milwaukee (International Systems Security Association); the current presi-dent and founding member of ISSA-Madison; a past chairman MATC MilwaukeeSecurity Specialist Curriculum Advisory Committee; a member of HerzingUniversity’s Department of Homeland Security Degree; and a member of theWestern Wisconsin Association of Computer Crime Investigators. Ken has pub-lished security information in several books and trade magazines. In his spare time,he finds time to work as a director of IT services for Financial Institution ProductsCorporation (FIPCO®), a subsidiary of the Wisconsin Bankers Association. Hecan be reached via e-mail at M. Slade is an information security and management consultant fromNorth Vancouver, British Columbia, Canada. Initial research into computer viralprograms developed into the writing and reviewing of security books, and eventu-ally into conducting review seminars for CISSP candidates. Slade also promotes theCommunity Security Education project, attempting to increase security awarenessfor the general public as a means of reducing overall information security threats.More information than anyone would want to know about him is available at or It is nextto impossible to get him to take “bio” writing seriously.James S. Tiller, CISSP, CISA, is an accomplished executive with over 14 years ofinformation security and information technology experience and leadership. Hehas provided comprehensive, forward-thinking solutions encompassing a broadspectrum of challenges and industries. Jim has spent much of his career assist-ing organizations throughout North America, Europe, and most recently Asia, inmeeting their security goals and objectives. He is the author of The Ethical Hack:Framework for Business Value Penetration Testing and A Technical Guide to IPsecVirtual Private Networks (Auerbach Publications). Jim has been a contributingauthor to the Information Security Management Handbook for the last five years,in addition to several other publications. Currently, Jim is the vice president ofSecurity North America for BT Global Services.© 2010 by Taylor and Francis Group, LLC
  28. 28. Chapter 1Access ControlJames S. Tiller, CISSP;Revised by Stephen Fried, CISSPContentsIntroduction ..........................................................................................................1 CISSP Expectations ..........................................................................................2Key Access Control Concepts ................................................................................3Access Control Principles ....................................................................................11Information Classification ...................................................................................16Access Control Requirements ..............................................................................25Access Control Categories ...................................................................................29Access Control Types .......................................................................................... 34System Access Control Strategies .........................................................................53Identity Management ..........................................................................................92Access Control Technologies................................................................................99Data Access Controls......................................................................................... 116Intrusion Detection and Intrusion Prevention Systems ......................................124Threats ..............................................................................................................132Summary and Conclusion ................................................................................. 153Review Questions ..............................................................................................154IntroductionThe field of information security is complex, dynamic, and infinitely challenging.This single discipline contains elements of advanced technology, human behavior, 1© 2010 by Taylor and Francis Group, LLC
  29. 29. 2 ◾ Official (ISC)2 Guide to the CISSP CBKbusiness strategy, statistical analysis, mathematics, and a host of other technicaland personal skills. In fact, the field can be so complex that to categorize it for theCBK® takes ten distinct domains, each with its own unique skill and knowledgerequirements. Despite all this complexity, however, the fundamental purpose of allinformation security efforts remains the same; to protect the confidentiality, integ-rity, and availability of information assets. Furthermore, the most fundamentalway of doing this is to ensure that only those who have a specific need for an asset,combined with specific authoritative permission, will be able to access that asset. That, in a nutshell, is access control. Access control provides the basic building blocks for enabling information secu-rity and is the foundation upon which all security efforts, including the other nineCBK domains, are based. The ability to develop and implement an effective andcomprehensive access control strategy will lay the groundwork toward establishingan effective overall security program for the organization. Likewise, an ineffective,incomplete, or haphazard access control strategy will do nothing to assist the orga-nization’s security efforts and may, in fact, hinder those efforts considerably. This chapter introduces the security professional to all aspects of access control,from the theoretical to the highly detailed. The reader will be given the definitionsand basic concepts necessary to understand access control processes and will beshown various methods of providing access control functionality in a variety ofphysical and technical situations. Finally, detailed technical discussions of variousaccess control technologies will demonstrate the large number of options availablefor addressing specific access control needs.CISSP ExpectationsAccording to the (ISC)2 Candidate Information Bulletin, an information security pro-fessional should fully understand access control concepts, methodologies, and imple-mentation within centralized and decentralized environments across the enterprise’scomputer systems. Access control techniques and detective and corrective measuresshould be studied to understand the potential risks, vulnerabilities, and exposures. Key areas of knowledge are ◾ Control access by applying the following concepts, methodologies, and techniques − Policies − Types of controls: preventive, detective, corrective, etc. − Techniques, e.g., nondiscretionary, discretionary, and mandatory − Identification and authentication − Decentralized and distributed access control techniques − Authorization mechanisms − Logging and monitoring ◾ Understand access control attacks ◾ Assess effectiveness of access controls© 2010 by Taylor and Francis Group, LLC
  30. 30. Access Control ◾ 3Key Access Control ConceptsBefore beginning a complete dissection of the access control domain, it is importantto have an understanding of some key concepts that will be important throughoutthe chapter. These concepts form the basis for understanding how access controlworks, why it is a key security discipline, and how each individual component to bediscussed in this chapter relates to the overall access control universe. The most basic and important piece of knowledge to understand is a precisedefinition of what is meant by the term “access control.” For the rest of this chapter,indeed for the rest of this book, the following definition will be used: Access control is the process of allowing only authorized users, programs, or other computer systems (i.e. networks) to observe, modify, or otherwise take possession of the resources of a computer system. It is also a mechanism for limiting the use of some resources to authorized users.In short, access controls are the collection of mechanisms that work together to pro-tect the assets of the enterprise. They help protect against threats and vulnerabilitiesby reducing exposure to unauthorized activities and providing access to informa-tion and systems to only those who have been approved. Although access control isa single domain within the CISSP Common Body of Knowledge (CBK), it is themost pervasive and omnipresent aspect of information security. Access controlsencompass all operational levels of an organization: ◾ Facilities: Access controls protect entry to, and movement around, an orga- nization’s physical locations to protect personnel, equipment, information, and, other assets inside that facility. ◾ Support systems: Access to support systems (such as power, heating, ventilation and air conditioning (HVAC) systems; water; and fire suppression controls) must be controlled so that a malicious intruder is not able to compromise these systems and cause harm to the organization’s personnel or the ability to support critical systems. ◾ Information systems: Multiple layers of access controls are present in most modern information systems and networks to protect those systems, and the information they contain, from harm or misuse. ◾ Personnel: Management, end users, customers, business partners, and nearly everyone else associated with an organization should be subject to some form of access control to ensure that the right people have the ability to interface with each other, and not interfere with the people with whom they do not have any legitimate business.Additionally, all physical and logical entry points to the organization need sometype of access control. Given the pervasive nature and importance of access controls© 2010 by Taylor and Francis Group, LLC
  31. 31. 4 ◾ Official (ISC)2 Guide to the CISSP CBKthroughout the practice of security, it is necessary to understand the four key attri-butes of access control that enable good security management. Specifically, accesscontrols enable management to 1. Specify which users can access a system 2. Specify what resources those users can access 3. Specify what operations those users can perform 4. Enforce accountability for those users’ actionsEach of these four areas, although interrelated, represents an established and indi-vidual approach to defining an effective access control strategy. The information inthis chapter will assist the security professional in determining the proper course ofaction to satisfy each of the attributes as it applies to a particular system, process,or facility.Joining the C-I-A: The common thread among all good information securityobjectives is that they address at least one (if not all three) of the core security prin-ciples: confidentiality, integrity, and availability (more commonly referred to as theC-I-A). Confidentiality refers to efforts made to prevent unauthorized disclosure ofinformation to those who do not have the need, or right, to see it. Integrity refersto efforts made to prevent unauthorized or improper modification of systems andinformation. It also refers to the amount of trust that can be placed in a systemand the accuracy of information within that system. For example, many systemsand applications will check data that come into the system for syntactic and seman-tic accuracy to ensure that incoming data do not introduce operational or process-ing errors, thus affecting its overall integrity. Availability refers to efforts made toprevent disruption of service and productivity. The goals of information security areto ensure the continued C-I-A of an organization’s assets. This includes both physi-cal assets (such as buildings, equipment, and, of course, people) and informationassets (such as company data and information systems.) Access controls play a key role in ensuring the confidentiality of systems andinformation. Managing access to physical and information assets is fundamentalto preventing exposure of data by controlling who can see, use, modify, or destroythose assets. In addition, managing an entity’s admittance and rights to specificenterprise resources ensures that valuable data and services are not abused, misap-propriated, or stolen. It is also a key factor for many organizations that are requiredto protect personal information in order to be compliant with appropriate legisla-tion and industry compliance requirements. The act of controlling access inherently provides features and benefits that pro-tect the integrity of business assets. By preventing unauthorized or inappropriateaccess, organizations can achieve greater confidence in data and system integrity.Without controls to manage who has access to specific resources, and what actionsthey are permitted to perform, there are a few alternate controls that ensure that© 2010 by Taylor and Francis Group, LLC
  32. 32. Access Control ◾ 5information and systems are not modified by unwanted influences. Moreover,access controls (more specifically, records of access activity) offer greater visibilityinto determining who or what may have altered data or system information, poten-tially affecting the integrity of those assets. Access controls can be used to matchan entity (such as a person or a computer system) with the actions that entity takesagainst valuable assets, allowing organizations to have a better understanding of thestate of their security posture. Finally, access control processes go hand in hand with efforts to ensure the avail-ability of resources within an organization. One of the most basic rules to embracefor any valuable asset, especially an asset whose criticality requires that it must beavailable for use over elongated periods of time, is that only people with a need touse that particular asset should be allowed access to that asset. Taking this stanceensures that the resource is not blocked or congested by people who have no busi-ness using it. This is why most organizations only allow their employees and othertrusted individuals into their facilities or onto their corporate networks. In addi-tion, restricting access to only those who need to use a resource reduces the likeli-hood that malicious agents can gain access and cause damage to the asset or thatnonmalicious individuals with unnecessary access can cause accidental damage.Determining a Default Stance: An organization’s access control strategy is directlyinfluenced by its overall approach and philosophy concerning information security.For example, educational institutions and public social organizations generally pro-mote more open and unfettered access to systems and information. They wouldmost likely have fewer restrictions and controls on what information and servicesusers can access. Their philosophy is based on allowing access to any informationunless there is a specific need to restrict that access. Such an access philosophy isoften referred to as allow-by-default. More formally, this philosophy dictates thatany access that is not specifically denied is permitted. Even though such an orga-nization may have security measures in place (like firewalls, for example), thosedevices are configured to allow access to a resource unless a specific resource isdefined as requiring more restricted access. This approach provides a much moreopen environment for sharing information and resources, but at the potential costof losing control over the confidentiality, integrity, and availability of the informa-tion and resources that organization manages. Figure 1.1 shows a conceptual viewof an allow-by-default environment. In Figure 1.1, the firewall is configured to allow most network protocols (e.g.,FTP, HTTP, and SMTP) through to the organization’s intranet. However, peer-to-peer (P2P) protocols (such as file-sharing and instant messaging programs) areblocked at the firewall, presumably because the organization fears the introductionof malicious software through such programs. Other organizations have a much stricter access control philosophy. These wouldinclude most commercial enterprises, government systems, and military installa-tions. Their philosophy is one of deny-by-default, or, more formally, any access that© 2010 by Taylor and Francis Group, LLC
  33. 33. 6 ◾ Official (ISC)2 Guide to the CISSP CBK FTP HTTP Is the protocol Intranet SMTP denied? P2PFigure 1.1 Conceptual view of an allow-by-default not specifically permitted is denied. In contrast to the allow-by-default approach,deny-by-default will block all attempts to access information and resources unlessthat access is specifically permitted. This approach provides an environment thatprotects information resources much more strongly, but at a cost of requiring muchgreater management and administration of those resources. In addition, workers ina deny-by-default environment may find that access to, and sharing of, informationin such an environment is much more difficult. Figure 1.2 shows a conceptual viewof an allow-by-default environment. In this diagram, the more restrictive environment blocks most protocols fromentering the intranet. The exception is the SMTP protocol (used by most e-mailsystems), which is allowed to pass through the firewall. This would allow e-mail traf-fic to travel in and out of the organization. In practice, few organizations fall purely in the allow-by-default or deny-by-default camps. Some areas of an organization may be more permissive (e.g.,employee recreational information or cafeteria meal schedules), while other areas FTP HTTP Is the protocol Intranet SMTP allowed? P2PFigure 1.2 A conceptual view of an allow-by-default environment.© 2010 by Taylor and Francis Group, LLC
  34. 34. Access Control ◾ 7will be much more restrictive (such as employee health and salary information orcompany financial records.) Nevertheless, most organizations will have one or theother of these core philosophies as their underlying guiding principle. Definingyour core philosophy will be very important to your access control strategy, as it setsthe tone for all other access control decisions to follow.Defense in Depth: The practice of implementing appropriate access control mech-anisms is also the first line of defense in an organization’s defense-in-depth strategy.Defense in depth is the practice of applying multiple layers of security protectionbetween an information resource and a potential attacker. If one of those layersshould fail the successive layers will continue to function and protect the resourceagainst compromise. A sound access control strategy provides the first layer ofprotection. By carefully managing all attempts to access a resource and blockingthose that are not preauthorized, it ensures that all the other layers protecting thatresource have a much greater chance of successfully protecting it. Defense in depth is applicable to both the physical and virtual environments.For example, imagine a modern office complex where top-secret data are stored, asdepicted in Figure 1.3. In such an environment, a tall perimeter fence might provide Biometric Access Door Locked File Cabinet Card Access DoorFigure 1.3 Physical defense in depth.© 2010 by Taylor and Francis Group, LLC
  35. 35. 8 ◾ Official (ISC)2 Guide to the CISSP CBKthe first layer of defense to keep intruders out. If an intruder gets through the fence,the building may have an armed guard at the front door. Should the intruder man-age to knock out and disarm the guard, he may find that the building requires anaccess card to get past the main lobby. If the intruder can find an access card (per-haps from the security guard he just knocked out), and get into the main part of thebuilding, he may find that all the cabinets with secret data are locked and the key isnowhere to be found! The goal in all of this is to ensure that access to target assets(in this case the secret data) is protected by multiple layers of controls. A properly protected virtual environment, such as that depicted in Figure 1.4,should present similar challenges. If that same intruder decided to break into thecompany’s data center over the Internet he may find that the company’s network isprotected by a strong firewall. However, this intrepid villain does not let that stophim and manages to find a hole through the firewall to the company’s payroll server.The server, however, requires a password. If the attacker keeps going he will findthat the applications on the server also require passwords, the system is protectedby a host-based Intrusion Prevention System (more on that later), and the databasefiles are encrypted. As it was with the physical security example, the more layers ofprotection placed between an attacker and a potential target the less likely it is thatthe failure of any single control will cause compromise or loss of the asset. Access controls can be found in many places within a computing environment.For example, firewalls employ rules that permit, limit, or deny access to variousnetwork services. By reducing the exposure to threats, controls protect potentiallyvulnerable system services, ensuring that network’s availability. By reducing expo-sure to unwanted and unauthorized entities, organizations can limit the number ofthreats that can affect the availability of systems, services, and data. Network Access Controls Firewalls Server Access Controls Data Access Controls Application Access ControlsFigure 1.4 Network defense in depth.© 2010 by Taylor and Francis Group, LLC
  36. 36. Access Control ◾ 9Access Control—A General Process: There are many different approaches toimplementing an access control scheme—almost as many as there are security pro-fessionals. However, there is a very general approach that is applicable to almostany situation and provides a useful framework for beginning on the access controljourney. This three-step process is defined as 1. Defining resources 2. Determining users 3. Specifying the users’ use of the resourcesStep 1—Defining Resources: The first step to enable an effective access controlstrategy is to specifically define the resources that exist in the environment forusers to access. Essentially, this step answers the fundamental security question,“What are you trying to protect?” While this may seem intuitive, this is not a stepthat should be overlooked, nor should its importance or potential complexity beunderestimated. The definition of what exactly constitutes a “resource” to an orga-nization may take considerable discussion, but once it is decided it will clarify andsimplify the process of identifying those resources that are important enough forthe organization to protect. The proper definition of the available resources in your organization must alsobe coupled with a determination as to how each of those resources may be accessed.Do users need a specific organizational status to access a particular resource, oris it enough just to be a member of a specific project? Accessing information on acompany’s benefit plans may simply require a person to be an employee, whereasaccessing quarterly financial projects may specifically require a person to be part ofthe finance organization. Addressing these issues during this step will also lay thefoundation for effectively implementing role-based or domain-based access con-trols, which will be discussed later in this chapter. It is also essential to bind a user, group, or entity to the resources each is access-ing. Resources can include data, applications, services, servers, storage, processes,printers, or anything that represents an asset to the organization that can be utilizedby a user. Every resource, no matter how mundane, is an asset that must be affordedprotection from unwanted influences and unauthorized use. This includes obviouslyimportant resources like internally developed software, manufacturing systems,employee personnel files, or secret product formulas. However, it may also includeoften-overlooked resources like printers, fax machines, and even office supplies. Theactual amount of protection to give each resource may be based on a cost–benefitanalysis of the effort required to provide the protection or it may be based on a par-ticular risk or threat model favored by the organization. Once the required resourcesare determined, then controls can be defined to specify the level of access.Step 2—Determining Users: The next step in managing access control is definingwho can access a given resource. The concept of identifying who are permitted© 2010 by Taylor and Francis Group, LLC
  37. 37. 10 ◾ Official (ISC)2 Guide to the CISSP CBKaccess and providing the credentials necessary for their role is fundamental to secu-rity and ancient in practice. In early tribal cultures, a right of passage consisted ofobtaining a specific garment, marking, or even a scar signifying you were approvedfor various activities within the tribe, which translated to access. As populationsgrew and became more sophisticated, new methods were developed to provideaccess to an approved community. Over 4000 years ago, the Egyptians developedthe first lock-and-key systems. Wooden locks were operated by a wooden key thatcontrolled pins to disengage a bolt and permit access to the protected object. Thekey would be provided only to those who had been identified as needing access.Although seemingly primitive by today’s standards (after all, how long would awooden lock protect a modern file cabinet?), the technology and social conventionsof the day allowed this to be quite an effective mechanism in ancient Egypt. Todaysecurity professionals continue the tradition of using the latest in available technol-ogy to protect valuable assets. A typical environment must manage employees, contractors, consultants, part-ners, clients, or even, on occasion, competitors that organizations need to identifyas requiring access of one kind or another. The act of specifying which users canhave access to a system is typically driven by an operational demand, such as pro-viding access to an accounting system so that users in the financial department canrecord and pay bills. Access control decisions are often based on organizational,social, or political considerations as well. One’s personal or functional status withinthe organization may dictate the type or scope of access to organizational assetsthat may be allotted. A company CEO is rarely denied access to any organizationalasset he may request, despite the fact that his explicit need to have that informationmay not be readily apparent. While this may not be the preferable method of deter-mining access rights, a real-world information security manager should be preparedto deal with such situations. The most significant aspect of determining which users will be provided accessis a clear understanding of the needs of the user and the level of trust given tothat person or entity. An identification process must exist that takes into consider-ation the validity of the access need in the light of business needs, organizationalpolicy, legal requirements, information sensitivity, and security risk. It is impor-tant to understand that with each new user or community, the threat profile of anorganization changes. For example, an organization may determine that one of itspartners needs access to a given system. Upon providing that access, the potentialthreats to the organization now include that partner organization. Not only mustthe relationship be founded on trust, established by legal or other mechanismsbetween the two entities, but it must also now consider the increase in the numberof users, thereby increasing the potential sources of threat. The more sophisticated the access control system, the greater the number ofoptions to support various access demands in a secure fashion. It is not uncommonfor organizations to have several different access control strategies to accommodatevarious needs, resulting in the provisioning of multiple unique access solutions.However, this is not considered as a security best practice, and the objective is to© 2010 by Taylor and Francis Group, LLC
  38. 38. Access Control ◾ 11have a consistent access control strategy to avoid too much complexity. The morethe complexity that exists in any system, including access control systems, the morelikely it is that unexpected interactions will cause security flaws to be exposed.Simplicity is the key to any effective security system. The overall goal, then, is tostrike an effective balance between the need to manage the complex access needs ofan organization and the need to keep the access control system as simple as possibleto understand and manage.Step 3—Specifying Use: The final step in the access control process is to specifythe level of use for a given resource and the permitted user actions on that resource.Take, for example, the files and data resident on a typical computer. Most file systemsprovide multiple levels of permissions, such as read, write, and execute. Dependingon the file system used to store data, there may be methods of permitting much moregranular controls. These may include the ability to provide access to a specific user,but only permitting him or her to perform a certain task. For example, a user withthe role of “data backup” will be allowed to perform administrative functions suchas “copy to tape,” but not to erase or alter the information. (Access permissions willbe covered in greater detail later in this chapter.) Additionally, a user may have theneed to run an application, and therefore be provided execute privileges. However,he may not have write privileges, to ensure that he cannot modify the application. The same philosophy can be applied to any resource, and access controls shouldbe used to support an organization’s business functionality. For example, you maywish to restrict the users’ ability to access specific printers based on a particularorganizational structure. This would, as an example, allow a department to restricthigh-cost color printing to only the members of the graphics or marketing depart-ments. Not only would this properly restrict access to valuable and expensiveresources, it might also aid the organization’s cost allocation efforts by ensuringthat charges for those expensive resources are allocated only to those who mustuse them. As another example, an organization that needs to restrict printing andduplication of sensitive or classified documents may allow any user to send a printjob to a particular printer, but require another level of approval from an authorizedofficial to actually print the document in order to avoid policy violations. Ultimately, once a user is identified and authenticated, an access control systemmust be sensitive to the level of authorization for that user to use the identifiedresources. Therefore, it is not enough to simply identify and authenticate a user inorder to access resources. It is also necessary to control what actions are permittedfor a specified resource based on the user’s role (unless, of course, “unlimited access”is the organizational policy).Access Control PrinciplesAccess Control Policy: The first element of an effective access control programis to establish an access control policy and associated standards and procedures.An access control policy specifies the guidelines for how users are identified and© 2010 by Taylor and Francis Group, LLC
  39. 39. 12 ◾ Official (ISC)2 Guide to the CISSP CBKauthenticated and the level of access granted to resources. The existence of an accesscontrol policy ensures that decisions governing the access to enterprise assets arebased on a formalized organizational directive. The absence of a policy will resultin inconsistencies in provisioning, management, and administration of access con-trols. The policy will provide the framework for the definition of necessary proce-dures, guidelines, standards, and best practices concerning the oversight of accessmanagement.Separation of Duties: It is often possible to enable effective access controls byaltering the way people perform their work functions. The primary objective ofseparation of duties is the prevention of fraud and errors. This objective is achievedby distributing the tasks and associated privileges for a specific process among mul-tiple people. It acts as a deterrent to fraud or concealment because collusion withanother individual is required to complete a fraudulent act, ensuring that no indi-vidual acting alone can compromise the security of a system or gain unauthorizedaccess to data. Of course, just because separation of duties is established for a givenprocess does not mean that fraud is impossible to carry out; it just means that it ismore difficult. People are generally averse to include others in the planning of crim-inal acts, so forcing collusion to happen in order to carry out such an act reducesthe overall risk of its occurrence. The first action to employ separation of duties in a process or work function isdefining the individual elements of that process. Processes are typically a collectionof tasks that must be performed to achieve an objective. Examples of common pro-cesses include performing backups, copying files, or granting system access. Workfunctions can also encompass highly complex and potentially vital (or dangerous)business elements that should not be in the control of any one person. A commonexample is the process of creating and approving requisitions for purchasing expen-sive items. The person who requests the expenditure should not also be allowed toapprove the expenditure. This prevents a single person from creating and receivingfraudulent payments. A less common, though more dangerous, example from themilitary is the ability to launch nuclear missiles. One person may have the abilityto arm the missile but not execute the launch sequence. Another person may havethe ability to launch the missile but not arm its payload. Finally, neither personcan do anything without receiving proper authorization from the President. In thiscase, all three people are needed in order to successfully launch an armed missile.This safeguard ensures that a single person with a political agenda (or just having aparticularly bad day) will not be able to start a global nuclear war. To determine the applicability of separation of duties, two distinct factors mustbe addressed: the sensitivity of the function under consideration and the elementswithin a process that lend themselves to distribution. Sensitivity of the functiontakes into consideration the criticality of the job performed and potential exposureto fraud, misuse, or negligence. It will be necessary to evaluate the importanceof a given transaction and its relationship to enterprise security risk, operations,© 2010 by Taylor and Francis Group, LLC
  40. 40. Access Control ◾ 13and, of course, C-I-A factors. It is important to be aware that seemingly mundanetasks may also sometimes require separation of duties practices. For example, asingle user performing both backup and restore procedures would have the abilityto manipulate or destroy the backup data to cover unauthorized activity, changeinformation, or destroy valuable resources undetected. There are other activities within an organization that are not only important whenconsidering separation of duties, but their technical and procedural architecture alsoassists in establishing these controls as well. For example, in application developmentthere are typically separate development, testing, and production environments. Theintegrity of libraries used for the development is critical, and it is important that livesystems and proprietary information should not be used within the testing environ-ment to mitigate the risk of exposing sensitive information. Therefore, the develop-ment environment needs to follow strict separation of duties throughout the processin order to ensure that code and data follow strict change management processes andaccess by personnel between these areas is restricted. This reduces the risk of changesbeing made to the code once it has been tested and ensures the integrity of the testedcode and that the production code is maintained. The second factor when determining the applicability of separation of dutiesis understanding what elements within a function are prone to abuse, which onesare easily segmented without significantly disrupting operations, and what skillsare available to the pool of users performing the different elements of the function.These can be summarized as ◾ Element identification, importance, and criticality ◾ Operational considerations ◾ User skills and availabilityElement identification, importance, and criticality: Each function will have one ormore elements that must be performed to complete the transaction. Some elementswithin a function, known as milestone elements, may lend themselves to offer oppor-tunities for fraud or abuse. Such cases would then require a different user withunique privileges to complete that element. To ensure that a process runs as effi-ciently as possible within a separation of duties environment, it may be possible tocollect different elements into groups that together represent a milestone element.The key is to evaluate each element and the role it plays in performing the function.Once each element is assessed against the potential for abuse, they can begin to bedistributed to various users. In the event that a collection of elements within a function does not offer a clearpoint of segmentation, it may be necessary to incorporate a new milestone elementas a validation and approval point within the function. For example, at a specificpoint in a process, a manager can send an e-mail, apply a digital signature, or adda validation mark to the data. That additional notification or mark must be presentfor the primary user to continue the remaining processes.© 2010 by Taylor and Francis Group, LLC
  41. 41. 14 ◾ Official (ISC)2 Guide to the CISSP CBK Operational considerations: One of the key attributes of a successful security pro-gram is integrating effectively within the business or operational goals of the orga-nization. When considering separation of duties, the impact to the function and itsrole in the business are essential to overall success. When implemented poorly, orwithout taking overall business goals into account, security-related processes likeseparation of duties can hinder the process and make it prone to circumvention.The impact to the operations must be taken into account whenever establishingseparation of duties practices for a function. The security manager must considerthe impact to the efficient operation of the function as well as the meaningful alter-native options in the event there is a system failure or outage. It is important not tosacrifice security, but rather to have alternate compensating controls that can meetthe objectives for security. In addition, the cost of implementing separation of duties within a businessprocess must be weighed against the overall risk that process represents to the orga-nization and whether the benefits of separation outweigh the time and effort coststo the organization. In the separation of duties example of arming and launchingnuclear missiles, it can be nearly universally agreed that the cost of implementingseparation in such a circumstance is greatly outweighed by the risk and poten-tial harm that could come from a non-separated nuclear environment. Conversely,most would agree that implementing separation of duties in a cafeteria’s tuna sand-wich-making process would not make a great deal of sense. While it is true that amalevolent sandwich maker could intentionally inflict illness or even death uponunsuspecting patrons, the actual incidence of such an occurrence is relatively lowand the addition of the extra personnel required for such a low-risk situation wouldbe very costly to the organization. User skills and availability: Clearly, separation of duties requires multiple partici-pants, and each of those participants must have the appropriate skills and training toperform the specific element of a given function. Additionally, there must be enoughpersonnel to perform all the elements that have been distributed. In organizations thathave small staffs, pure separation of duties may not be feasible. For example, a com-mon separation practice is to ensure that those who develop software programs shouldnot have access to the production environments where those programs are run. Thosewho run and maintain the production environment should be a separate and distinctgroup from the development team. This separation prevents a rogue developer fromintroducing malicious code directly into a production system. Unfortunately, manysmall development shops and start-up companies cannot afford the extra personnelthat such a separation environment requires. Staffing those extra positions may justmean the difference between a successful business and bankruptcy. Given the trade-off between the benefits of separation (prevention against malicious code) and thecost of separation (double the salary expense), a reasonable business owner might optagainst separation, preferring instead to instill other mitigating controls to reduce therisk, such as a strong change management process and code reviews.© 2010 by Taylor and Francis Group, LLC
  42. 42. Access Control ◾ 15Least Privilege: The principle of least privilege is one of the most fundamental char-acteristics of access control for meeting security objectives. Least privilege requiresthat a user or process be given no more access privilege than necessary to performa job, task, or function. The objective is to limit users and processes to access onlyresources and tools necessary to perform assigned functions. Th is often requireslimits not only on what resources can be accessed, but also includes limiting theactions that can be performed by the user even if they have authorized access tothe resource. For example, a user may be restricted to only read-only, update, andexecute permission on a system without the ability to create or delete files anddatabases. Ensuring least privilege requires identifying what the user’s job is, deter-mining the minimum set of privileges required to perform that job, and restrictingthe user to a domain with those privileges and nothing more. Denying users accessprivileges that are not necessary for the performance of their duties ensures thatthose privileges cannot be used to circumvent the organization’s security policy.Need to Know: A companion concept to least privilege is the notion of need toknow. If the goal of least privilege is to reduce access to a bare minimum, needto know defines that minimum as a need for that access based on job or businessrequirements. For example, although the CIO in an organization has the appropri-ate rank in the organization to view upcoming quarterly financial forecasts, theorganization’s comptroller may decide that the CIO does not have a need to knowthat information and, thus, restrict access to it. Need to know is also used heavily insituations where operational secrecy is a key concern, such as in military operations.Military leaders often keep operational plans on a need to know basis to reduce thenumber of people who know about the plans and reduce the risk that someone willleak that information to the enemy.Compartmentalization: Finally, compartmentalization completes the least privi-lege picture. Compartmentalization is the process of separating groups of peopleand information such that each group is isolated from the others and informationdoes not flow between groups. For example, an organization might compartmen-talize (both logically and physically) a team working on mergers and acquisitions sothat the information that team is working on will not leak to the general employeepopulation and lead to a potential insider trading problem. Compartmentalizationis helpful in situations where information needs to stay contained within a singlegroup or area and strong protections need to be taken to keep that informationfrom leaking outside the area.Security Domain: A security domain is an area where common processes and secu-rity controls work to separate all entities involved in these processes from otherentities or security domains. For example, all systems and users managing financialinformation might be separated into their own security domain, and all systemsinvolved in e-commerce activity might get their own security domain. A securitydomain is based on trust between resources or services in areas or systems that share© 2010 by Taylor and Francis Group, LLC
  43. 43. 16 ◾ Official (ISC)2 Guide to the CISSP CBK High security network High clearance Medium user security network Medium clearance user Low security Low clearance network userFigure 1.5 Three distinct and separate security domains exist on the server.Only those individuals or subjects authorized can have access to the informationon a particular domain.a single security policy and a single management structure. The trust is the uniquecontext in which a program is operating. There may be multiple security domainswithin an organization and an entity may, at times, belong to more than one secu-rity domain based on its responsibilities and functions at any given time. The sepa-ration between domains can be either physically or logically managed. Securitydomains support a hierarchical relationship where subjects can access objects inequal or lower domains; therefore, domains with higher privileges are protectedfrom domains with lesser privileges. In Figure 1.5, three distinct and separate security domains exist on the server,and only those individuals or subjects authorized can have access to the informa-tion on a particular domain. A subject’s domain, which contains all of the objects that the subject can access,is kept isolated. Shared objects may have more than one access by subjects, and thisallows this concept to work. For example, if a hundred subjects have access to thesame object, that object has to appear in a hundred different domains to allow thisisolation.Information ClassificationMany organizations have thousands, or even millions, of data files containing valu-able information on all aspects of the organization’s business. Information is created© 2010 by Taylor and Francis Group, LLC
  44. 44. Access Control ◾ 17in great volumes on a daily basis from a variety of transactional systems, as wellas aggregated into databases and data warehouses to provide decision-making sup-port. The information is stored on backup tapes, copied to portable USB drives, andburned to CDs and DVDs for portability. Information is stored on portable comput-ers and network drives, and in e-mail systems to support the sharing of information.The same information is printed and filed, and stored off site for business continuityand disaster recovery purposes. A file will typically have multiple versions, will bestored in multiple locations, and is capable of being accessed by different individualsin each of these locations. Fundamental security questions are raised in this type ofenvironment. Where is the organization’s information? How should the informationbe handled and protected? Who should have access to it? Who owns the informa-tion? Who makes the decisions around these parameters? These questions form theimpetus for implementing an information classification strategy. Information classification is the practice of evaluating the risk level of the organiza-tion’s information to ensure that the information receives the appropriate level of pro-tection. The application of security controls to information has a cost of time, people,hardware, software, and ongoing maintenance resources that must be considered.Applying the same level of control to all of the company’s assets wastes resources andmoney by overprotecting some information and underprotecting other information.In an effort to simplify security budget management, security dollars are often spentuniformly to protect all assets at the same level. Not all assets have the same value orneed the same level of protection. The budget could be better allocated, and the secu-rity of the organization better managed, by providing only basic protection to assetsof little value and providing increased protection to those assets considered to be ofgreater value or higher sensitivity. By applying protection controls to the informationbased upon the classification, the organization gains efficiencies and thus reduces theoverall cost of information security. The primary objective of information classifica-tion, therefore, is to group an organization’s information assets by levels of sensitivityand criticality. Once this is done, the organization then applies the appropriate level ofprotection controls to each asset in accordance with the classification assigned to it.Information Classification Benefits: There are many benefits in classifying infor-mation within an organization. First, classification helps to establish ownership ofthe information, which provides a central point of control for all aspects of securityand access to the information. This increases the likelihood that the information willbe used in the proper context and those accessing the information will be properlyauthorized. Information classification also increases the confidentiality, integrity, andavailability of information by focusing an organization’s limited security funds on theresources requiring the highest level of protection and providing lesser controls for theinformation with less risk of loss. By understanding the information and its location,the organization can identify areas that may need higher levels of protection. Information classification can also have a positive effect on the knowledge andawareness of security within an organization. A classification program allows forgreater understanding of the value of the information to be protected, and provides© 2010 by Taylor and Francis Group, LLC