SlideShare a Scribd company logo

Chapter 9: Access Control Management

Download as PPTX, PDF
Nada G.Youssef
Nada G.Youssef

Security Program and Policies, Principles and Practices

Education
1 of 19
Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 9: Access Control Management
Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Explain access control fundamentals ■ Apply the concepts of default deny, need-to-know, and least privilege ■ Understand secure authentication ■ Protect systems from risks associated with Internet connectivity, remote access, and telework environments ■ Manage and monitor user and administrator access ■ Develop policies to support access control management
Access Control Fundamentals ■ Access controls ❑ Security features that govern how users and processes communicate and interact with systems and resources ❑ Primary objective is to protect information and systems from unauthorized access, modification, or disruption ■ Three common attributes of access controls ❑ Identification scheme ❑ Authentication method ❑ Authorization method Copyright 2014 Pearson Education, Inc. 3
Copyright 2014 Pearson Education, Inc. 4 What Is a Security Posture? ❑ It is the organization’s approach to access control ❑ Two fundamental security postures: ■ Secure, which implements the “default deny” model ■ Open, which implements the “default allow” model ❑ Every access control decision for a company is based on that company’s security posture
Copyright 2014 Pearson Education, Inc. 5 What Is a Security Posture? Cont. ■ Default allow versus default deny ❑ Default allow: By default, out-of-the-box, no security is deployed, everyone can do everything ■ Easier to deploy, works out-of-the-box ■ No security ❑ Default deny ■ Aka “deny all” ■ Access is unavailable by default until the appropriate control is altered to allow access
Copyright 2014 Pearson Education, Inc. 6 What Is a Security Posture? Cont. ■ Principle of Least Privilege ❑ Definition: The least amount of permissions granted users that still allow them to perform whatever business tasks they have been assigned, and no more. ❑ This is a strong foundation for any access control policy. ❑ Protects the data but also protects users. They can’t be accused of having deleted a file to which they can’t gain access! ❑ From a cultural stand point, it is important to explain to employees why they are not “trusted” with all the company’s data.
Copyright 2014 Pearson Education, Inc. 7 What Is a Security Posture? Cont. ■ Need-to-know ❑ Definition: Having a demonstrated and authorized reason for being granted access to information ❑ Should be made a part of the company’s culture ❑ Should be incorporated in security training curriculum ❑ At the least protects the confidentiality of corporate data, but may also protect integrity and availability depending on the attack type
How Is Identity Verified? ■ First step to granting access is user identification ❑ Authentication: Subject must supply verifiable credentials offered referred as factors ■ Single-factor authentication ■ Multifactor authentication ■ Multilayer authentication Copyright 2014 Pearson Education, Inc. 8
How Is Identity Verified? Cont. ■ Three categories of factors ❑ Knowledge: Something you know ■ Password ■ PIN ■ Answer to a question ❑ Possession: Something you have ■ One-time passcodes ■ Memory cards ■ Smart cards ■ Out-of-band communication ❑ Inherence: Something you are ■ Biometric identification Copyright 2014 Pearson Education, Inc. 9
Copyright 2014 Pearson Education, Inc. 10 What Is Authorization? ■ The process of assigning authenticated subjects permission to carry out a specific operation ■ Three primary authorization models ❑ Object capability ■ Used programmatically and based on a combination of a unforgettable reference and an operational message ❑ Security labels ■ Mandatory access controls embedded in object and subject properties ❑ Access Control Lists ■ Used to determine access based on some criteria
What Is Authorization? Cont. ■ Categories of access control lists ❑ MAC (Mandatory Access Control): Data is classified, and employees are granted access according to the sensitivity of information ❑ DAC (Discretionary Access Control): Data owners decide who should have access to what information ❑ RBAC (Role-based Access Control): Access is based on positions (roles) within an organization ❑ Rule-based access control: Access is based on criteria that is independent of the user or group account Copyright 2014 Pearson Education, Inc. 11
Infrastructure Access Controls ■ Include physical and logical network design, border devices, communication mechanisms, and host security settings ■ Network segmentation ❑ The process of logically grouping network assets, resources, and applications ❑ Type of network segmentation ■ Enclave network ■ Trusted network ■ Semi-trusted network, perimeter network, or DMZ ■ Guest network ■ Untrusted network Copyright 2014 Pearson Education, Inc. 12
What Is Layered Border Security? ■ Different types of security measures designed to work in tandem with a single focus ❑ Firewall devices ❑ Intrusion detection systems (IDSs) ❑ Intrusion prevention systems (IPSs) ❑ Content filtering and whitelisting/blacklisting ❑ Border device administration and management Copyright 2014 Pearson Education, Inc. 13
Copyright 2014 Pearson Education, Inc. 14 Remote Access Security ■ Remote Access ❑ Users who have a demonstrated business-need to access the corporate network remotely and are authorized to do so must be given that privilege ❑ Not all employees should be given this privilege by default ❑ Remote access activities should be monitored and audited ❑ The organization’s business continuity plan must account for the telecommuting environment ■ Remote access technologies ❑ Virtual Private Networks (VPNs) ■ Secure tunnel for transmitting data over unsecure network, such as the Internet ❑ Remote access portals ■ Offers access to one or more applications through a single centralized interface
User Access Controls ■ Used to ensure authorized users can access information and resources while unauthorized users cannot access information and resources ■ Users should have access only to information they need to do their job and no more ■ Administrative account controls ❑ Segregation of duties ❑ Dual control Copyright 2014 Pearson Education, Inc. 15
Copyright 2014 Pearson Education, Inc. 16 What Types of Access Should Be Monitored? ■ Three main monitoring areas: ■ Successful access ■ Failed access ■ Privileged operations
Copyright 2014 Pearson Education, Inc. 17 Is Monitoring Legal? ❑ Employees should have no expectation of privacy while on company time or when using company resources ❑ Courts have favored an employer’s right to protect their interests over individual privacy rights because: ■ Actions were taken at the employer’s place of work ■ Equipment used – including bandwidth – was company- provided ■ Monitoring the work also helps ensure the quality of work ■ The employer has the right to protect property from theft and/or fraud
Copyright 2014 Pearson Education, Inc. 18 Is Monitoring Legal? Cont. ❑ Courts indicate that monitoring is acceptable if it is reasonable: ■ Justifiable if serving a business purpose ■ Policies are set forth to define what privacy employees should expect while on company premises ■ Employees are made aware of what monitoring means are deployed ❑ Acceptable use agreement should include a clause informing users that the company will and does monitor system activity ❑ Users must agree to company policies when logging on
Copyright 2014 Pearson Education, Inc. 19 Summary ■ Access control is a complex domain. Access to information is extremely important to regulate. ■ User access and user actions on the network must be monitored and logged, whether they are located on premises or gaining access to the network remotely. ■ Monitoring is useless if the information gathered is not reviewed regularly.

Recommended

Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
Nada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 

Recommended

Chapter 5: Asset Management
Chapter 5: Asset ManagementChapter 5: Asset Management
Chapter 5: Asset Management
Nada G.Youssef
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
Alfred Ouyang
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
Nada G.Youssef
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness Training
Buy Custom Papers
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
amiable_indian
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations Security
Nada G.Youssef
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security
Sammer Qader
 
Rule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-TransformationRule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-Transformation
Jordi Cabot
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 

More Related Content

What's hot

Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
Nada G.Youssef
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Physical security
Physical securityPhysical security
Physical security
Tariq Mahmood
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
Maganathin Veeraragaloo
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness Training
Buy Custom Papers
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
amiable_indian
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations Security
Nada G.Youssef
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
Karthikeyan Dhayalan
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
GulnurAzat
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security
Sammer Qader
 

What's hot (20)

Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security Chapter 7: Physical & Environmental Security
Chapter 7: Physical & Environmental Security
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Physical security
Physical securityPhysical security
Physical security
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Cyber Security Awareness Training
Cyber Security Awareness TrainingCyber Security Awareness Training
Cyber Security Awareness Training
 
Physical Security Domain
Physical Security DomainPhysical Security Domain
Physical Security Domain
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Chapter 8: Communications and Operations Security
Chapter 8: Communications and Operations SecurityChapter 8: Communications and Operations Security
Chapter 8: Communications and Operations Security
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
Introduction to the management of information security
Introduction to the management of information security Introduction to the management of information security
Introduction to the management of information security
 

Viewers also liked

Rule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-TransformationRule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-Transformation
Jordi Cabot
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
Mark Niebergall
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
Elimity
 
Multiple access control protocol
Multiple access control protocol Multiple access control protocol
Multiple access control protocol
meenamunesh
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
Hari Pudipeddi
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 

Viewers also liked (9)

Rule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-TransformationRule-Based Access-Control Evaluation through Model-Transformation
Rule-Based Access-Control Evaluation through Model-Transformation
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Access Controls
Access ControlsAccess Controls
Access Controls
 
Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
 
Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource Authorization
 
Attribute based access control
Attribute based access controlAttribute based access control
Attribute based access control
 
Multiple access control protocol
Multiple access control protocol Multiple access control protocol
Multiple access control protocol
 
Intro To Access Controls
Intro To Access ControlsIntro To Access Controls
Intro To Access Controls
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 

Similar to Chapter 9: Access Control Management

Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
Nada G.Youssef
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
ITNet
 
Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdf
GoldenMIT
 
Security Program and PoliciesPrinciples and Practicesby Sari.docx
Security Program and PoliciesPrinciples and Practicesby Sari.docxSecurity Program and PoliciesPrinciples and Practicesby Sari.docx
Security Program and PoliciesPrinciples and Practicesby Sari.docx
bagotjesusa
 
What is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptxWhat is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptx
infosec train
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
Nada G.Youssef
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
Financial Poise
 
Building HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsBuilding HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teams
Gaurav Garg
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
Nada G.Youssef
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Nada G.Youssef
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial Institutions
Nada G.Youssef
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power point
bradleyl2
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
TrustArc
 
Information security
Information securityInformation security
Information security
Praveen Minz
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist, LLC
 
Risk Management Process for Healthcare Organizations
Risk Management Process for Healthcare OrganizationsRisk Management Process for Healthcare Organizations
Risk Management Process for Healthcare Organizations
Calance
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014
Alexey Vlasenko
 
Security, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSecurity, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptx
Sheldon Byron
 

Similar to Chapter 9: Access Control Management (20)

Chapter 6: Human Resources Security
Chapter 6: Human Resources SecurityChapter 6: Human Resources Security
Chapter 6: Human Resources Security
 
Presentation2 (2)
Presentation2 (2)Presentation2 (2)
Presentation2 (2)
 
Information Security Incident Management.pdf
Information Security Incident Management.pdfInformation Security Incident Management.pdf
Information Security Incident Management.pdf
 
Security Program and PoliciesPrinciples and Practicesby Sari.docx
Security Program and PoliciesPrinciples and Practicesby Sari.docxSecurity Program and PoliciesPrinciples and Practicesby Sari.docx
Security Program and PoliciesPrinciples and Practicesby Sari.docx
 
What is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptxWhat is Information Assurance Model in Cyber Security.pptx
What is Information Assurance Model in Cyber Security.pptx
 
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare SectorChapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
 
How to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security ProgramHow to Build and Implement your Company's Information Security Program
How to Build and Implement your Company's Information Security Program
 
Building HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teamsBuilding HIPAA Compliance in service delivery teams
Building HIPAA Compliance in service delivery teams
 
Chapter 4: Governance and Risk Management
Chapter 4: Governance and Risk ManagementChapter 4: Governance and Risk Management
Chapter 4: Governance and Risk Management
 
Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance Chapter 10: Information Systems Acquisition, Development, and Maintenance
Chapter 10: Information Systems Acquisition, Development, and Maintenance
 
Chapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial InstitutionsChapter 13: Regulatory Compliance for Financial Institutions
Chapter 13: Regulatory Compliance for Financial Institutions
 
Introduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power pointIntroduction to Health Informatics Ch11 power point
Introduction to Health Informatics Ch11 power point
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
Information security
Information securityInformation security
Information security
 
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
AdvisorAssist Are Your RIA's Clients Protected from Cyber Threats?
 
Risk Management Process for Healthcare Organizations
Risk Management Process for Healthcare OrganizationsRisk Management Process for Healthcare Organizations
Risk Management Process for Healthcare Organizations
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014
 
Security, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptxSecurity, Compliance & Loss Prevention Part 6.pptx
Security, Compliance & Loss Prevention Part 6.pptx
 

More from Nada G.Youssef

مجلة 1
مجلة 1مجلة 1
مجلة 1
Nada G.Youssef
 
Chapter Tewlve
Chapter TewlveChapter Tewlve
Chapter Tewlve
Nada G.Youssef
 
Chapter Eleven
Chapter ElevenChapter Eleven
Chapter Eleven
Nada G.Youssef
 
Chapter Ten
Chapter TenChapter Ten
Chapter Ten
Nada G.Youssef
 
Chapter Nine
Chapter NineChapter Nine
Chapter Nine
Nada G.Youssef
 
Chapter Eight
Chapter Eight Chapter Eight
Chapter Eight
Nada G.Youssef
 
Chapter Seven
Chapter SevenChapter Seven
Chapter Seven
Nada G.Youssef
 
Chapter Six
Chapter SixChapter Six
Chapter Six
Nada G.Youssef
 
Chapter Five
Chapter FiveChapter Five
Chapter Five
Nada G.Youssef
 
Chapter Four
Chapter FourChapter Four
Chapter Four
Nada G.Youssef
 
Chapter Three
Chapter ThreeChapter Three
Chapter Three
Nada G.Youssef
 
Chapter Two
Chapter TwoChapter Two
Chapter Two
Nada G.Youssef
 
Chapter one
Chapter oneChapter one
Chapter one
Nada G.Youssef
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants
Nada G.Youssef
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity Management
Nada G.Youssef
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style
Nada G.Youssef
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy
Nada G.Youssef
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University
Nada G.Youssef
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
Nada G.Youssef
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
Nada G.Youssef
 

More from Nada G.Youssef (20)

مجلة 1
مجلة 1مجلة 1
مجلة 1
 
Chapter Tewlve
Chapter TewlveChapter Tewlve
Chapter Tewlve
 
Chapter Eleven
Chapter ElevenChapter Eleven
Chapter Eleven
 
Chapter Ten
Chapter TenChapter Ten
Chapter Ten
 
Chapter Nine
Chapter NineChapter Nine
Chapter Nine
 
Chapter Eight
Chapter Eight Chapter Eight
Chapter Eight
 
Chapter Seven
Chapter SevenChapter Seven
Chapter Seven
 
Chapter Six
Chapter SixChapter Six
Chapter Six
 
Chapter Five
Chapter FiveChapter Five
Chapter Five
 
Chapter Four
Chapter FourChapter Four
Chapter Four
 
Chapter Three
Chapter ThreeChapter Three
Chapter Three
 
Chapter Two
Chapter TwoChapter Two
Chapter Two
 
Chapter one
Chapter oneChapter one
Chapter one
 
Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants Chapter 15: PCI Compliance for Merchants
Chapter 15: PCI Compliance for Merchants
 
Chapter 12: Business Continuity Management
Chapter 12: Business Continuity ManagementChapter 12: Business Continuity Management
Chapter 12: Business Continuity Management
 
Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style Chapter 2: Policy Elements and style
Chapter 2: Policy Elements and style
 
Chapter 1: Understanding Policy
Chapter 1: Understanding Policy Chapter 1: Understanding Policy
Chapter 1: Understanding Policy
 
Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University Preparatory Year of Saudi Electronic University
Preparatory Year of Saudi Electronic University
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 

Recently uploaded

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
MIRIAMSALINAS13
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
AzmatAli747758
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
GeoBlogs
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
PedroFerreira53928
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
GeoBlogs
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
bennyroshan06
 
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdfESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
Fundacja Rozwoju Społeczeństwa Przedsiębiorczego
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
Celine George
 

Recently uploaded (20)

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
Cambridge International AS A Level Biology Coursebook - EBook (MaryFosbery J...
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdfESC Beyond Borders _From EU to You_ InfoPack general.pdf
ESC Beyond Borders _From EU to You_ InfoPack general.pdf
 
How to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS ModuleHow to Split Bills in the Odoo 17 POS Module
How to Split Bills in the Odoo 17 POS Module
 

Chapter 9: Access Control Management

  • 1. Security Program and Policies Principles and Practices by Sari Stern Greene Chapter 9: Access Control Management
  • 2. Copyright 2014 Pearson Education, Inc. 2 Objectives ■ Explain access control fundamentals ■ Apply the concepts of default deny, need-to-know, and least privilege ■ Understand secure authentication ■ Protect systems from risks associated with Internet connectivity, remote access, and telework environments ■ Manage and monitor user and administrator access ■ Develop policies to support access control management
  • 3. Access Control Fundamentals ■ Access controls ❑ Security features that govern how users and processes communicate and interact with systems and resources ❑ Primary objective is to protect information and systems from unauthorized access, modification, or disruption ■ Three common attributes of access controls ❑ Identification scheme ❑ Authentication method ❑ Authorization method Copyright 2014 Pearson Education, Inc. 3
  • 4. Copyright 2014 Pearson Education, Inc. 4 What Is a Security Posture? ❑ It is the organization’s approach to access control ❑ Two fundamental security postures: ■ Secure, which implements the “default deny” model ■ Open, which implements the “default allow” model ❑ Every access control decision for a company is based on that company’s security posture
  • 5. Copyright 2014 Pearson Education, Inc. 5 What Is a Security Posture? Cont. ■ Default allow versus default deny ❑ Default allow: By default, out-of-the-box, no security is deployed, everyone can do everything ■ Easier to deploy, works out-of-the-box ■ No security ❑ Default deny ■ Aka “deny all” ■ Access is unavailable by default until the appropriate control is altered to allow access
  • 6. Copyright 2014 Pearson Education, Inc. 6 What Is a Security Posture? Cont. ■ Principle of Least Privilege ❑ Definition: The least amount of permissions granted users that still allow them to perform whatever business tasks they have been assigned, and no more. ❑ This is a strong foundation for any access control policy. ❑ Protects the data but also protects users. They can’t be accused of having deleted a file to which they can’t gain access! ❑ From a cultural stand point, it is important to explain to employees why they are not “trusted” with all the company’s data.
  • 7. Copyright 2014 Pearson Education, Inc. 7 What Is a Security Posture? Cont. ■ Need-to-know ❑ Definition: Having a demonstrated and authorized reason for being granted access to information ❑ Should be made a part of the company’s culture ❑ Should be incorporated in security training curriculum ❑ At the least protects the confidentiality of corporate data, but may also protect integrity and availability depending on the attack type
  • 8. How Is Identity Verified? ■ First step to granting access is user identification ❑ Authentication: Subject must supply verifiable credentials offered referred as factors ■ Single-factor authentication ■ Multifactor authentication ■ Multilayer authentication Copyright 2014 Pearson Education, Inc. 8
  • 9. How Is Identity Verified? Cont. ■ Three categories of factors ❑ Knowledge: Something you know ■ Password ■ PIN ■ Answer to a question ❑ Possession: Something you have ■ One-time passcodes ■ Memory cards ■ Smart cards ■ Out-of-band communication ❑ Inherence: Something you are ■ Biometric identification Copyright 2014 Pearson Education, Inc. 9
  • 10. Copyright 2014 Pearson Education, Inc. 10 What Is Authorization? ■ The process of assigning authenticated subjects permission to carry out a specific operation ■ Three primary authorization models ❑ Object capability ■ Used programmatically and based on a combination of a unforgettable reference and an operational message ❑ Security labels ■ Mandatory access controls embedded in object and subject properties ❑ Access Control Lists ■ Used to determine access based on some criteria
  • 11. What Is Authorization? Cont. ■ Categories of access control lists ❑ MAC (Mandatory Access Control): Data is classified, and employees are granted access according to the sensitivity of information ❑ DAC (Discretionary Access Control): Data owners decide who should have access to what information ❑ RBAC (Role-based Access Control): Access is based on positions (roles) within an organization ❑ Rule-based access control: Access is based on criteria that is independent of the user or group account Copyright 2014 Pearson Education, Inc. 11
  • 12. Infrastructure Access Controls ■ Include physical and logical network design, border devices, communication mechanisms, and host security settings ■ Network segmentation ❑ The process of logically grouping network assets, resources, and applications ❑ Type of network segmentation ■ Enclave network ■ Trusted network ■ Semi-trusted network, perimeter network, or DMZ ■ Guest network ■ Untrusted network Copyright 2014 Pearson Education, Inc. 12
  • 13. What Is Layered Border Security? ■ Different types of security measures designed to work in tandem with a single focus ❑ Firewall devices ❑ Intrusion detection systems (IDSs) ❑ Intrusion prevention systems (IPSs) ❑ Content filtering and whitelisting/blacklisting ❑ Border device administration and management Copyright 2014 Pearson Education, Inc. 13
  • 14. Copyright 2014 Pearson Education, Inc. 14 Remote Access Security ■ Remote Access ❑ Users who have a demonstrated business-need to access the corporate network remotely and are authorized to do so must be given that privilege ❑ Not all employees should be given this privilege by default ❑ Remote access activities should be monitored and audited ❑ The organization’s business continuity plan must account for the telecommuting environment ■ Remote access technologies ❑ Virtual Private Networks (VPNs) ■ Secure tunnel for transmitting data over unsecure network, such as the Internet ❑ Remote access portals ■ Offers access to one or more applications through a single centralized interface
  • 15. User Access Controls ■ Used to ensure authorized users can access information and resources while unauthorized users cannot access information and resources ■ Users should have access only to information they need to do their job and no more ■ Administrative account controls ❑ Segregation of duties ❑ Dual control Copyright 2014 Pearson Education, Inc. 15
  • 16. Copyright 2014 Pearson Education, Inc. 16 What Types of Access Should Be Monitored? ■ Three main monitoring areas: ■ Successful access ■ Failed access ■ Privileged operations
  • 17. Copyright 2014 Pearson Education, Inc. 17 Is Monitoring Legal? ❑ Employees should have no expectation of privacy while on company time or when using company resources ❑ Courts have favored an employer’s right to protect their interests over individual privacy rights because: ■ Actions were taken at the employer’s place of work ■ Equipment used – including bandwidth – was company- provided ■ Monitoring the work also helps ensure the quality of work ■ The employer has the right to protect property from theft and/or fraud
  • 18. Copyright 2014 Pearson Education, Inc. 18 Is Monitoring Legal? Cont. ❑ Courts indicate that monitoring is acceptable if it is reasonable: ■ Justifiable if serving a business purpose ■ Policies are set forth to define what privacy employees should expect while on company premises ■ Employees are made aware of what monitoring means are deployed ❑ Acceptable use agreement should include a clause informing users that the company will and does monitor system activity ❑ Users must agree to company policies when logging on
  • 19. Copyright 2014 Pearson Education, Inc. 19 Summary ■ Access control is a complex domain. Access to information is extremely important to regulate. ■ User access and user actions on the network must be monitored and logged, whether they are located on premises or gaining access to the network remotely. ■ Monitoring is useless if the information gathered is not reviewed regularly.