Chapter 6. Mapping Business Challenges to Access Control
Types
IN THIS CHAPTER, YOU WILL TAKE what you have already learned about access control and use it to design a
comprehensive access control system. All access control systems are about solving problems and meeting business
needs.
First, we will review access control types. Next, we will examine each step you should follow in designing an access
control system. Finally, we will discuss how access control systems are used in the real world.
Chapter 6 Topics
This chapter covers the following topics and concepts:
How access control types apply to business challenges
How access controls can be used to solve business challenges
What some case studies and examples are
Chapter 6 Goals
When you complete this chapter, you will be able to:
Explain various access control types and map them to business challenges
Create a comprehensive access control strategy to solve business challenges
Mapping Business Challenges to Types of Control
The goal of any access control system is not simply to keep people out, or to organize who has access to a particular
resource, but to meet a business need. In this chapter, you will discover how to apply various access control methods
to solve a range of business challenges.
Business Continuity
PREV
TWO. Mitigating Risk with Access Control Systems, Authenticati…⏮
NEXT
7. Human Nature and Organizational Behavior ⏭🔎
Access Control, Authentication, and Public Key Infrastructure
Find answers on the fly, or master something new. Subscribe today. See pricing options.
https://learning.oreilly.com/home/
https://learning.oreilly.com/r/
https://learning.oreilly.com/playlists/
https://learning.oreilly.com/library/view/access-control-authentication/9780763791285/ch06.html
https://learning.oreilly.com/library/view/access-control-authentication/9780763791285/ch06.html
https://learning.oreilly.com/library/view/access-control-authentication/9780763791285/pt02.html
https://learning.oreilly.com/library/view/access-control-authentication/9780763791285/ch07.html
https://learning.oreilly.com/subscribe/
Business continuity deals with worst-case scenarios. It addresses how essential functions continue in the midst and
aftermath of a disaster. There are two sides to business continuity: prevention and recovery. Access controls are used
primarily on the prevention side, but do have a role to play in recovery as well.
NOTENOTE
A disaster is any major event that negatively impacts an organization's ability to carry on business as usual,
including natural disasters such as earthquakes or tornados. It can also include criminal activities such as
arson, robbery, and sabotage, or accidents such as a water main break that floods key facilities.
DISASTER PREVENTION
When creating a business continuity plan, you should start by brainstorming a list of "what-if" scenarios. Some
disasters cannot be prevented—an earthquake will happen, regardless of whether you prepare f.
CHAPTER6 Mapping Business Challenges to Access Control TypesI.docxmccormicknadine86
CHAPTER
6 Mapping Business Challenges to Access Control Types
IN THIS CHAPTER, YOU WILL TAKE SOME THEORETICAL concepts about the need for access control systems and apply them to solve real-world business problems.
The first section of this chapter discusses the types of business challenges that can be solved with access control systems. The second section describes the tools and techniques that can help you apply access control solutions. The chapter concludes with case studies of access controls in the real world.
Chapter 6 Topics
This chapter covers the following topics and concepts:
How access control types apply to business challenges
How access controls can be used to solve business challenges
What some case studies and examples are
Chapter 6 Goals
When you complete this chapter, you will be able to:
Explain various access control types and map them to business challenges
Create a comprehensive access control strategy to solve business challenges
Access Controls to Meet Business Needs
The goal of any access control system is not simply to keep people out or to organize who has access to a particular resource, but to meet a business need. In this chapter, you will discover how to apply various access control methods to solve a range of business challenges.
Business Continuity and Disaster Recovery
Business continuity and disaster recovery both refer to keeping organizations operating efficiently and their essential functions continuing in the event of a natural or manmade disaster. Business continuity plans consist of controls designed to mitigate risks to an extent that they do not disrupt critical business functions. Disaster recovery plans kick in when business continuity plans fail and attempt to get the business up and running again as quickly as possible.
NOTE
A disaster is any major event that negatively affects an organization’s ability to carry on business as usual, including natural disasters such as earthquakes or tornadoes. It can also include criminal activities such as arson, robbery, and sabotage, or accidents such as a water main break that floods key facilities.
Business Continuity
When creating a business continuity plan, you should start by brainstorming a list of “what-if” scenarios. Some disasters cannot be prevented—earthquakes will happen, regardless of whether you prepare for them or not. Others, especially criminal activities and accidents, can be prevented or minimized through careful planning and strong access controls.
For example, consider a cruise line with corporate headquarters located in Miami, Florida. This region is highly susceptible to natural disasters, such as hurricanes and flooding. Business continuity planners must take the risk of these disasters into account and develop plans to keep the cruise line running even in the face of a major natural disaster. Planners have several potential strategies at their disposal.
First, the cruise line could decide to separate its data center from its cor ...
CHAPTER6 Mapping Business Challenges to Access Control TypesI.docxtiffanyd4
This document discusses how access control systems can be applied to solve real-world business problems. It begins by explaining how access control types map to business challenges like business continuity, disaster recovery, customer access to data, and maintaining a competitive advantage. The document then provides examples and case studies for how access controls have been implemented to address issues in these areas. The goal is to teach the reader how to create comprehensive access control strategies to solve various business challenges.
No business wants to face a data breach, but you should be prepared should it happen. Here are 5 steps to protect your organization after a data breach.
This document provides an introduction to secure identity management. It discusses the challenges of fragmented identity systems and access controls across different applications. It defines secure identity management as systems and processes that control who has access to information resources and what they are allowed to do. The document presents a framework that includes identity and access management services, provisioning systems, and secure content delivery to organize these functions. It describes how these components work together to address the identity management challenges.
This document discusses business continuity and disaster recovery. It defines key terms, noting that business continuity focuses on restoring business processes while disaster recovery focuses on restoring IT infrastructure. A business impact analysis is identified as the first step in developing a business continuity strategy. This involves assessing critical business processes, resources, impacts of downtime, and recovery time objectives. Finally, the document outlines developing a business continuity plan, including identifying recovery locations, procedures, and resources as well as the importance of testing plans.
This white paper discusses the challenges of account lockout management and the benefits of an automated solution. It notes that account lockouts are necessary for security but result in help desk calls and lost productivity. Managing account lockouts manually is complex and time-consuming. The paper estimates that organizations can save $23,500-$70,500 annually by automating account lockout resolution through a product like NetWrix Account Lockout Examiner. This provides faster resolution and proactive handling of lockouts.
CHAPTER6 Mapping Business Challenges to Access Control TypesI.docxmccormicknadine86
CHAPTER
6 Mapping Business Challenges to Access Control Types
IN THIS CHAPTER, YOU WILL TAKE SOME THEORETICAL concepts about the need for access control systems and apply them to solve real-world business problems.
The first section of this chapter discusses the types of business challenges that can be solved with access control systems. The second section describes the tools and techniques that can help you apply access control solutions. The chapter concludes with case studies of access controls in the real world.
Chapter 6 Topics
This chapter covers the following topics and concepts:
How access control types apply to business challenges
How access controls can be used to solve business challenges
What some case studies and examples are
Chapter 6 Goals
When you complete this chapter, you will be able to:
Explain various access control types and map them to business challenges
Create a comprehensive access control strategy to solve business challenges
Access Controls to Meet Business Needs
The goal of any access control system is not simply to keep people out or to organize who has access to a particular resource, but to meet a business need. In this chapter, you will discover how to apply various access control methods to solve a range of business challenges.
Business Continuity and Disaster Recovery
Business continuity and disaster recovery both refer to keeping organizations operating efficiently and their essential functions continuing in the event of a natural or manmade disaster. Business continuity plans consist of controls designed to mitigate risks to an extent that they do not disrupt critical business functions. Disaster recovery plans kick in when business continuity plans fail and attempt to get the business up and running again as quickly as possible.
NOTE
A disaster is any major event that negatively affects an organization’s ability to carry on business as usual, including natural disasters such as earthquakes or tornadoes. It can also include criminal activities such as arson, robbery, and sabotage, or accidents such as a water main break that floods key facilities.
Business Continuity
When creating a business continuity plan, you should start by brainstorming a list of “what-if” scenarios. Some disasters cannot be prevented—earthquakes will happen, regardless of whether you prepare for them or not. Others, especially criminal activities and accidents, can be prevented or minimized through careful planning and strong access controls.
For example, consider a cruise line with corporate headquarters located in Miami, Florida. This region is highly susceptible to natural disasters, such as hurricanes and flooding. Business continuity planners must take the risk of these disasters into account and develop plans to keep the cruise line running even in the face of a major natural disaster. Planners have several potential strategies at their disposal.
First, the cruise line could decide to separate its data center from its cor ...
CHAPTER6 Mapping Business Challenges to Access Control TypesI.docxtiffanyd4
This document discusses how access control systems can be applied to solve real-world business problems. It begins by explaining how access control types map to business challenges like business continuity, disaster recovery, customer access to data, and maintaining a competitive advantage. The document then provides examples and case studies for how access controls have been implemented to address issues in these areas. The goal is to teach the reader how to create comprehensive access control strategies to solve various business challenges.
No business wants to face a data breach, but you should be prepared should it happen. Here are 5 steps to protect your organization after a data breach.
This document provides an introduction to secure identity management. It discusses the challenges of fragmented identity systems and access controls across different applications. It defines secure identity management as systems and processes that control who has access to information resources and what they are allowed to do. The document presents a framework that includes identity and access management services, provisioning systems, and secure content delivery to organize these functions. It describes how these components work together to address the identity management challenges.
This document discusses business continuity and disaster recovery. It defines key terms, noting that business continuity focuses on restoring business processes while disaster recovery focuses on restoring IT infrastructure. A business impact analysis is identified as the first step in developing a business continuity strategy. This involves assessing critical business processes, resources, impacts of downtime, and recovery time objectives. Finally, the document outlines developing a business continuity plan, including identifying recovery locations, procedures, and resources as well as the importance of testing plans.
This white paper discusses the challenges of account lockout management and the benefits of an automated solution. It notes that account lockouts are necessary for security but result in help desk calls and lost productivity. Managing account lockouts manually is complex and time-consuming. The paper estimates that organizations can save $23,500-$70,500 annually by automating account lockout resolution through a product like NetWrix Account Lockout Examiner. This provides faster resolution and proactive handling of lockouts.
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEIJNSA Journal
As a result of the increased dependency on obtaining information and connecting each computer together for ease of access/communication, organizations risk being attacked and losing private information through breaches or insecure business activities. To help protect organizations and their assets, companies need to develop a strong understanding of the risks imposed on their company and the security solutions designed to prevent/minimize vulnerabilities. To reduce the impact threats have on a network, organizations need to: design a defense layer system that provides multiple instances of protection to prevent unauthorized access to core information, implement a strong network hardware/intrusion prevention system, and create all-inclusive network/security policies that detail user rules and company rights. In order to enhance the overall security of a basic infrastructure, this paper will provide a detailed look into gathering the organizational requirements, designing and implementing a secure physical network layout, and selecting the standards needed to prevent unauthorized access.
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
BBA 3551, Information Systems Management 1
Course Learning Outcomes for Unit VIII
Upon completion of this unit, students should be able to:
3. Examine the importance of mobile systems and securing information and knowledge.
Reading Assignment
Chapter 12:
Information Security Management
Unit Lesson
In the last unit, we discussed outsourcing, the functions and organization of the IS department, and user
rights and responsibilities. In this final unit, we will focus on security threats to information systems.
PRIDE and System Security
PRIDE processes privacy settings on the server and returns a code that indicates which of the four privacy
levels defined for PRIDE govern a particular individual with a particular report/data requestor. By processing
settings on the server, those settings are not exposed to the Internet. The return code is, however, and the
operational system should probably use https for both the code and to return the report. This was not done in
the prototype, though.
The relationship between patients and PRIDE participants is N:M. One patient has potentially many
organizations, and an organization has potentially many patients. What this means is that a patient has a
relationship, potentially, to many participants of a given type: many doctors, many health clubs, many
insurance companies, and even many employers. In addition, a patient has a relationship to, potentially, many
types of participants.
Given the N:M relationships, a natural place to put privacy settings is in the intersection table. That table
serves, intuitively, as an opacity filter between a given patient and a given doctor (or other
person/organization).
The tension in the dialog between Maggie and Ajit at the beginning of Chapter 12 regarding what terminology
to use with Dr. Flores is intended to set up a discussion from both perspectives. It is a common problem for
techies when talking with business professionals: How much technical language should I use? It is important
to use enough to demonstrate competency, but not so much as to drown the businessperson in terminology.
Using the Ethics Guide: Securing Privacy
In this chapter, we discuss three categories of criteria for evaluating business actions and employee
behaviors:
legal
ethical (categorical imperative or utilitarianism)
good business practice
UNIT VIII STUDY GUIDE
Information Security Management
BBA 3551, Information Systems Management 2
We can clearly see the differences in these criteria with regard to data security. A doctor’s office that does not
create systems to comply with HIPAA is violating the law. An e-commerce business that collects customer
data and sells it to spammers is behaving unethically (by either ethical perspective). An e-commerce business
that is lackadaisical about securing its customers data is engaging in poor business practices.
Even still, business professionals today need t ...
Analyzing The Near Miss: Are companies overlooking crucial data?Garrett Foley
Near misses are predictive, showing the potential for future accidents. If a company doesn’t record its near misses, it’s missing a wealth of predictive information that could help prevent serious safety problems. For this reason, employees should be trained to identify near misses, and reporting these instances should be as quick and simple as possible. Nothing provides safety managers with more details and more trend data than near misses. They are the canary in the coal mine, helping to predict where, when, and why an accident will happen. With robust near-miss reporting, metal fabricators can catch safety issues long before they turn dangerous or even tragic.
Xevgenis_Michail_CI7130 Network and Information SecurityMichael Xevgenis
- The document discusses a security assessment of an organization that provides secure data storage for clients. It outlines the organization's key assets including proper system operation, data security, software, hardware, and employees.
- An analysis team is formed to conduct the security assessment using the OCTAVE framework. The team includes specialists in networking, IT, human resources, security, and business.
- The assessment will identify vulnerabilities and develop security strategies to mitigate risks to the organization's reputation, data protection, availability, and proper operation. Countermeasures proposed will focus on improving the organization's defensive capabilities.
Discussion 300 wordsSearch scholar.google.com or your textbookhuttenangela
Discussion 300 words
Search "scholar.google.com" or your textbook. Discuss how organizations have faced the challenges that incident handlers are challenged with in identifying incidents when resources have been moved to a cloud environment.
Reply to classmate 1: 275 words
Incident Handlers Challenges
The cloud computer helps the people to share their distributed resources which are related to different business organizations. Cloud computing helps business organizations in managing their business around the globe. The cloud computing application helps business organizations in expanding their business at a large level. It can be assessed on web devices from anywhere. Nowadays cloud computing helps the business organizations in meeting the demands of their customers more efficiently. The malicious cloud system has been noticed by the incident handlers which is a core concern for the business organization. Nowadays every business organization is using cloud computing in order to manage their important data and information of the business. The business organization is facing many incidents in their organization which can directly affect the working of their business. The main challenge that has been faced by the incident handlers is the accuracy in identification (John W. Rittinghouse, 2017).
The number of challenges that faced in the cloud environment are as follows:-
1. Challenge of denial of services: - The first main challenge that has been faced by the incident handler is the denial of services. There are various incidents of service attacks which can create a bogus request for preventing the system within the stipulated time. Such physical attack creates a challenge of service denial for the system.
2. Challenge of malicious code: - The second main challenge which can be faced by the incident handler is the challenge of malicious code. It can quickly affect the number of workstations in the business organization. It effects the working of the business organization.
3. Challenge of unauthorized access:- The third main challenge which is being faced by the incident handler is the unauthorized access of the system by the third party in the business organization. It can affect important data and information about the business. The attackers can access the system by the unauthorized way and steal the important data of the business organization.
4. Challenge of inappropriate use:- The fourth main challenge which may be faced by the incident handlers is the challenge of inappropriate use of the system. In the business organization, any employee can provide the illegal copies of the software to the other company employees. They can take advantage of the data and can misuse it.
5. Cloud service provider challenge:- The fifth main challenge that can be faced by the incident handler is the cloud service providers. This situation occurs when there is no control over the actions provided by cloud service provid ...
Cyber security is becoming increasingly relevant within the insurance industry to the degree, that the National Association of Insurance Commissioners (NAIC) named it as the key initiative for 2015.
With businesses now accelerating their goal to becoming a whole cloud-native interface in the
coming years, with a ground cloud-based disaster recovery strategy, they must also be embedded
within their management plans. Otherwise, every business risks losing vital data and having
its systems, operations, and services shut down by natural and artificial disasters, hardware
failures, power outages, and security risks.
Course Session Outline - Internal control in Information SystemTheodore Le
The document discusses various aspects of information security including threats, risks, and controls. It begins by outlining common security threats like hackers, computer viruses, and errors that can disrupt organizations. It then examines potential impacts of security incidents like loss of confidentiality, integrity, and availability of data. Examples are given around different levels of damage from a hacker attacking a credit card company. The rest of the document covers internal controls for information systems, including components like control environment, risk assessment, control activities, information and communication, and monitoring. Specific control techniques are introduced like general controls, application controls, fault tolerance, and intrusion detection systems. The document concludes with discussing setting up group projects to further explore these security topics.
This report summarizes issues with Rapid Data Services' current physical security and recommends improvements. Firstly, physical security needs to be increased through an alarm system connected to an outside agency, security personnel present at all times, and 24/7 surveillance cameras inside and outside. Fire and flood risks also need to be addressed. Secondly, intrusion measures like access control and video surveillance should be implemented to restrict unauthorized access. Lastly, the report considers moving operations to an established secure server housing company versus the costs of building their own high-security data storage facility.
CRO (Chief Risk Office and its responsibility)Komal310425
The document discusses the role and responsibilities of a Chief Risk Officer (CRO). The CRO is responsible for identifying, analyzing, and mitigating risks across the organization. This includes ensuring compliance with regulations, overseeing internal audits, developing risk management policies, assessing operational and reputational risks, and creating strategies to minimize risks. The CRO must also address emerging risks like cybersecurity threats and data protection issues. When evaluating vendors, organizations should thoroughly assess their financial health, business credibility, background of founders/management, and conduct an overall due diligence check using documentation like financial statements, legal records, and tax documents. This helps determine the vendor's ability to meet contractual obligations and mitigate risk.
The document proposes standard operating procedures for security breaches at DeVry University. It recommends removing email addresses from websites to avoid harvesting, and using a contact form instead. Physical security policies are outlined, such as not leaving documents visible in public or unattended. An incident response plan framework is also proposed to minimize downtime from security incidents. The plan involves initial assessment, isolation, communication, recovery, reassessment and review.
This document discusses the importance of ongoing risk assessment for companies. It recommends that risk assessment consider not just IT networks and computers, but also physical security and employees. A comprehensive risk assessment process involves identifying assets, threats, vulnerabilities, likelihood of threats, potential impacts, existing controls, and recommendations. It is important that risk assessment be an ongoing and recurring process to account for changing business needs and environments.
Fin 571 genius perfect education fin571genius.comstudent01234
FOR MORE CLASSES VISIT
www.fin571genius.com
1.A proxy fight occurs when: the board of directors disagree on the members of the management team. 2. A stakeholder is any person or entity: 3.Which one of the following is least apt to help convince managers to work in the best interest of the stockholders? threat of a proxy fight pay raises based on length of service implementation of a stock option plan
Audit and Compliance BDR Knowledge TrainingTory Quinton
The document discusses challenges related to access governance, segregation of duties, change tracking, and litigation mitigation in organizations. It provides details on common access governance challenges, the importance of segregation of duties and change tracking, and the consequences of security events and importance of compliance policies.
BetterCloud Whitepaper: Offboarding Inefficiencies and Security ThreatsBetterCloud
With the increase of SaaS apps in the workplace, it can take hours to just offboard one employee. Its time to tackle this issue, and offboard fast, and securely.
This document discusses effective anti-money laundering (AML) controls and practices for financial institutions. It explains that AML officers have many responsibilities, including legal, operational, investigative, and acting as a liaison with auditors and regulators. Maintaining fully effective controls is challenging given these diverse duties. The webinar aims to identify issues that have led to failures at other institutions, develop a roadmap to prevent such issues, and provide a practical approach to AML program architecture. It will cover topics like risk assessments, audit reviews, board reporting, staff training, and case studies to help institutions strengthen their AML divisions and oversight. The webinar content would benefit compliance officers, risk officers, auditors, and
Cyber risk management and the benefits of quantificationDavid X Martin
Cyber security is an unknown, unknown risk which is difficult to quantify. Focus on the impact of the cyber security events, not how they happen. Use disruption models to quantify operational disruptions. Convert as many unknown risks into known risks, so they can be quantified. And for those truly unknowable risks, focus on what needs to be done to ensure survivability.
The document discusses accelerating problem resolution through automated problem isolation. It notes that the average organization suffers over $1 million per hour in downtime costs, and wastes over half that time just determining who should fix issues. Automated problem isolation can reduce downtime by 40% by automatically isolating 80% of problems. While challenging, problem isolation solutions now exist that simplify implementation and allow organizations to improve customer service and save millions.
Choose 1 focal point from each subcategory of practice, educatio.docxbissacr
Choose 1 focal point from each subcategory of practice, education, research and administration and describe how the APRN can provide effective care in end of life management
Using the American nurses association position statement, recommendations for improvement in end of life management focuses on practice, education, research and administration. Listed below are steps that nurses can take to overcome barriers in healthcare practice.
Practice
1. Strive to attain a standard of primary palliative care so that all health care providers have basic knowledge of palliative nursing to improve the care of patients and families.
2. All nurses will have basic skills in recognizing and managing symptoms, including pain, dyspnea, nausea, constipation, and others.
3. Nurses will be comfortable having discussions about death, and will collaborate with the care teams to ensure that patients and families have current and accurate information about the possibility or probability of a patient’s impending death.
4. Encourage patient and family participation in health care decision-making, including the use of advance directives in which both patient preferences and surrogates are identified.
Education
1. Those who practice in secondary or tertiary palliative care will have specialist education and certification.
2. Institutions and schools of nursing will integrate precepts of primary palliative care into curricula.
3. Basic and specialist End-of-Life Nursing Education Consortium (ELNEC) resources will be available.
4. Advocate for additional education in academic programs and work settings related to palliative care, including symptom management, supported decision-making, and end-of-life care, focusing on patients and families.
Research
1. Increase the integration of evidence-based care across the dimensions of end-of-life care.
2. Develop best practices for quality care across the dimensions of end-of-life care, including the physical, psychological, spiritual, and interpersonal.
3. Support the use of evidence-based and ethical care, and support decision-making for care at the end of life.
4. Develop best practices to measure the quality and effectiveness of the counseling and interdisciplinary care patients and families receive regarding end-of-life decision-making and treatments.
5. Support research that examines the relationship of patient and family satisfaction and their utilization of health care resources in end-of-life care choices.
Administration
1. Promote work environments in which the standards for excellent care extend through the patient’s death and into post-death care for families.
2. Encourage facilities and institutions to support the clinical competence and professional development that will help nurses provide excellent, dignified, and compassionate end-of-life care.
3. Work toward a standard of palliative care available to patients and families from the time of diagnosis of a serious illness or a.
CHOICE TOPIC Pick a philosophical topic of your own choosing and re.docxbissacr
CHOICE TOPIC: Pick a philosophical topic of your own choosing and relay your own perspective on that topic giving as much evidence and supporting reasoning as possible.
The assignment should be standard font, double spaced, at least a page and a half with proper citations when appropriate.
.
More Related Content
Similar to Chapter 6. Mapping Business Challenges to Access ControlType.docx
ENHANCING INFRASTRUCTURE SECURITY IN REAL ESTATEIJNSA Journal
As a result of the increased dependency on obtaining information and connecting each computer together for ease of access/communication, organizations risk being attacked and losing private information through breaches or insecure business activities. To help protect organizations and their assets, companies need to develop a strong understanding of the risks imposed on their company and the security solutions designed to prevent/minimize vulnerabilities. To reduce the impact threats have on a network, organizations need to: design a defense layer system that provides multiple instances of protection to prevent unauthorized access to core information, implement a strong network hardware/intrusion prevention system, and create all-inclusive network/security policies that detail user rules and company rights. In order to enhance the overall security of a basic infrastructure, this paper will provide a detailed look into gathering the organizational requirements, designing and implementing a secure physical network layout, and selecting the standards needed to prevent unauthorized access.
BBA 3551, Information Systems Management 1 Course Lea.docxaryan532920
BBA 3551, Information Systems Management 1
Course Learning Outcomes for Unit VIII
Upon completion of this unit, students should be able to:
3. Examine the importance of mobile systems and securing information and knowledge.
Reading Assignment
Chapter 12:
Information Security Management
Unit Lesson
In the last unit, we discussed outsourcing, the functions and organization of the IS department, and user
rights and responsibilities. In this final unit, we will focus on security threats to information systems.
PRIDE and System Security
PRIDE processes privacy settings on the server and returns a code that indicates which of the four privacy
levels defined for PRIDE govern a particular individual with a particular report/data requestor. By processing
settings on the server, those settings are not exposed to the Internet. The return code is, however, and the
operational system should probably use https for both the code and to return the report. This was not done in
the prototype, though.
The relationship between patients and PRIDE participants is N:M. One patient has potentially many
organizations, and an organization has potentially many patients. What this means is that a patient has a
relationship, potentially, to many participants of a given type: many doctors, many health clubs, many
insurance companies, and even many employers. In addition, a patient has a relationship to, potentially, many
types of participants.
Given the N:M relationships, a natural place to put privacy settings is in the intersection table. That table
serves, intuitively, as an opacity filter between a given patient and a given doctor (or other
person/organization).
The tension in the dialog between Maggie and Ajit at the beginning of Chapter 12 regarding what terminology
to use with Dr. Flores is intended to set up a discussion from both perspectives. It is a common problem for
techies when talking with business professionals: How much technical language should I use? It is important
to use enough to demonstrate competency, but not so much as to drown the businessperson in terminology.
Using the Ethics Guide: Securing Privacy
In this chapter, we discuss three categories of criteria for evaluating business actions and employee
behaviors:
legal
ethical (categorical imperative or utilitarianism)
good business practice
UNIT VIII STUDY GUIDE
Information Security Management
BBA 3551, Information Systems Management 2
We can clearly see the differences in these criteria with regard to data security. A doctor’s office that does not
create systems to comply with HIPAA is violating the law. An e-commerce business that collects customer
data and sells it to spammers is behaving unethically (by either ethical perspective). An e-commerce business
that is lackadaisical about securing its customers data is engaging in poor business practices.
Even still, business professionals today need t ...
Analyzing The Near Miss: Are companies overlooking crucial data?Garrett Foley
Near misses are predictive, showing the potential for future accidents. If a company doesn’t record its near misses, it’s missing a wealth of predictive information that could help prevent serious safety problems. For this reason, employees should be trained to identify near misses, and reporting these instances should be as quick and simple as possible. Nothing provides safety managers with more details and more trend data than near misses. They are the canary in the coal mine, helping to predict where, when, and why an accident will happen. With robust near-miss reporting, metal fabricators can catch safety issues long before they turn dangerous or even tragic.
Xevgenis_Michail_CI7130 Network and Information SecurityMichael Xevgenis
- The document discusses a security assessment of an organization that provides secure data storage for clients. It outlines the organization's key assets including proper system operation, data security, software, hardware, and employees.
- An analysis team is formed to conduct the security assessment using the OCTAVE framework. The team includes specialists in networking, IT, human resources, security, and business.
- The assessment will identify vulnerabilities and develop security strategies to mitigate risks to the organization's reputation, data protection, availability, and proper operation. Countermeasures proposed will focus on improving the organization's defensive capabilities.
Discussion 300 wordsSearch scholar.google.com or your textbookhuttenangela
Discussion 300 words
Search "scholar.google.com" or your textbook. Discuss how organizations have faced the challenges that incident handlers are challenged with in identifying incidents when resources have been moved to a cloud environment.
Reply to classmate 1: 275 words
Incident Handlers Challenges
The cloud computer helps the people to share their distributed resources which are related to different business organizations. Cloud computing helps business organizations in managing their business around the globe. The cloud computing application helps business organizations in expanding their business at a large level. It can be assessed on web devices from anywhere. Nowadays cloud computing helps the business organizations in meeting the demands of their customers more efficiently. The malicious cloud system has been noticed by the incident handlers which is a core concern for the business organization. Nowadays every business organization is using cloud computing in order to manage their important data and information of the business. The business organization is facing many incidents in their organization which can directly affect the working of their business. The main challenge that has been faced by the incident handlers is the accuracy in identification (John W. Rittinghouse, 2017).
The number of challenges that faced in the cloud environment are as follows:-
1. Challenge of denial of services: - The first main challenge that has been faced by the incident handler is the denial of services. There are various incidents of service attacks which can create a bogus request for preventing the system within the stipulated time. Such physical attack creates a challenge of service denial for the system.
2. Challenge of malicious code: - The second main challenge which can be faced by the incident handler is the challenge of malicious code. It can quickly affect the number of workstations in the business organization. It effects the working of the business organization.
3. Challenge of unauthorized access:- The third main challenge which is being faced by the incident handler is the unauthorized access of the system by the third party in the business organization. It can affect important data and information about the business. The attackers can access the system by the unauthorized way and steal the important data of the business organization.
4. Challenge of inappropriate use:- The fourth main challenge which may be faced by the incident handlers is the challenge of inappropriate use of the system. In the business organization, any employee can provide the illegal copies of the software to the other company employees. They can take advantage of the data and can misuse it.
5. Cloud service provider challenge:- The fifth main challenge that can be faced by the incident handler is the cloud service providers. This situation occurs when there is no control over the actions provided by cloud service provid ...
Cyber security is becoming increasingly relevant within the insurance industry to the degree, that the National Association of Insurance Commissioners (NAIC) named it as the key initiative for 2015.
With businesses now accelerating their goal to becoming a whole cloud-native interface in the
coming years, with a ground cloud-based disaster recovery strategy, they must also be embedded
within their management plans. Otherwise, every business risks losing vital data and having
its systems, operations, and services shut down by natural and artificial disasters, hardware
failures, power outages, and security risks.
Course Session Outline - Internal control in Information SystemTheodore Le
The document discusses various aspects of information security including threats, risks, and controls. It begins by outlining common security threats like hackers, computer viruses, and errors that can disrupt organizations. It then examines potential impacts of security incidents like loss of confidentiality, integrity, and availability of data. Examples are given around different levels of damage from a hacker attacking a credit card company. The rest of the document covers internal controls for information systems, including components like control environment, risk assessment, control activities, information and communication, and monitoring. Specific control techniques are introduced like general controls, application controls, fault tolerance, and intrusion detection systems. The document concludes with discussing setting up group projects to further explore these security topics.
This report summarizes issues with Rapid Data Services' current physical security and recommends improvements. Firstly, physical security needs to be increased through an alarm system connected to an outside agency, security personnel present at all times, and 24/7 surveillance cameras inside and outside. Fire and flood risks also need to be addressed. Secondly, intrusion measures like access control and video surveillance should be implemented to restrict unauthorized access. Lastly, the report considers moving operations to an established secure server housing company versus the costs of building their own high-security data storage facility.
CRO (Chief Risk Office and its responsibility)Komal310425
The document discusses the role and responsibilities of a Chief Risk Officer (CRO). The CRO is responsible for identifying, analyzing, and mitigating risks across the organization. This includes ensuring compliance with regulations, overseeing internal audits, developing risk management policies, assessing operational and reputational risks, and creating strategies to minimize risks. The CRO must also address emerging risks like cybersecurity threats and data protection issues. When evaluating vendors, organizations should thoroughly assess their financial health, business credibility, background of founders/management, and conduct an overall due diligence check using documentation like financial statements, legal records, and tax documents. This helps determine the vendor's ability to meet contractual obligations and mitigate risk.
The document proposes standard operating procedures for security breaches at DeVry University. It recommends removing email addresses from websites to avoid harvesting, and using a contact form instead. Physical security policies are outlined, such as not leaving documents visible in public or unattended. An incident response plan framework is also proposed to minimize downtime from security incidents. The plan involves initial assessment, isolation, communication, recovery, reassessment and review.
This document discusses the importance of ongoing risk assessment for companies. It recommends that risk assessment consider not just IT networks and computers, but also physical security and employees. A comprehensive risk assessment process involves identifying assets, threats, vulnerabilities, likelihood of threats, potential impacts, existing controls, and recommendations. It is important that risk assessment be an ongoing and recurring process to account for changing business needs and environments.
Fin 571 genius perfect education fin571genius.comstudent01234
FOR MORE CLASSES VISIT
www.fin571genius.com
1.A proxy fight occurs when: the board of directors disagree on the members of the management team. 2. A stakeholder is any person or entity: 3.Which one of the following is least apt to help convince managers to work in the best interest of the stockholders? threat of a proxy fight pay raises based on length of service implementation of a stock option plan
Audit and Compliance BDR Knowledge TrainingTory Quinton
The document discusses challenges related to access governance, segregation of duties, change tracking, and litigation mitigation in organizations. It provides details on common access governance challenges, the importance of segregation of duties and change tracking, and the consequences of security events and importance of compliance policies.
BetterCloud Whitepaper: Offboarding Inefficiencies and Security ThreatsBetterCloud
With the increase of SaaS apps in the workplace, it can take hours to just offboard one employee. Its time to tackle this issue, and offboard fast, and securely.
This document discusses effective anti-money laundering (AML) controls and practices for financial institutions. It explains that AML officers have many responsibilities, including legal, operational, investigative, and acting as a liaison with auditors and regulators. Maintaining fully effective controls is challenging given these diverse duties. The webinar aims to identify issues that have led to failures at other institutions, develop a roadmap to prevent such issues, and provide a practical approach to AML program architecture. It will cover topics like risk assessments, audit reviews, board reporting, staff training, and case studies to help institutions strengthen their AML divisions and oversight. The webinar content would benefit compliance officers, risk officers, auditors, and
Cyber risk management and the benefits of quantificationDavid X Martin
Cyber security is an unknown, unknown risk which is difficult to quantify. Focus on the impact of the cyber security events, not how they happen. Use disruption models to quantify operational disruptions. Convert as many unknown risks into known risks, so they can be quantified. And for those truly unknowable risks, focus on what needs to be done to ensure survivability.
The document discusses accelerating problem resolution through automated problem isolation. It notes that the average organization suffers over $1 million per hour in downtime costs, and wastes over half that time just determining who should fix issues. Automated problem isolation can reduce downtime by 40% by automatically isolating 80% of problems. While challenging, problem isolation solutions now exist that simplify implementation and allow organizations to improve customer service and save millions.
Similar to Chapter 6. Mapping Business Challenges to Access ControlType.docx (20)
Choose 1 focal point from each subcategory of practice, educatio.docxbissacr
Choose 1 focal point from each subcategory of practice, education, research and administration and describe how the APRN can provide effective care in end of life management
Using the American nurses association position statement, recommendations for improvement in end of life management focuses on practice, education, research and administration. Listed below are steps that nurses can take to overcome barriers in healthcare practice.
Practice
1. Strive to attain a standard of primary palliative care so that all health care providers have basic knowledge of palliative nursing to improve the care of patients and families.
2. All nurses will have basic skills in recognizing and managing symptoms, including pain, dyspnea, nausea, constipation, and others.
3. Nurses will be comfortable having discussions about death, and will collaborate with the care teams to ensure that patients and families have current and accurate information about the possibility or probability of a patient’s impending death.
4. Encourage patient and family participation in health care decision-making, including the use of advance directives in which both patient preferences and surrogates are identified.
Education
1. Those who practice in secondary or tertiary palliative care will have specialist education and certification.
2. Institutions and schools of nursing will integrate precepts of primary palliative care into curricula.
3. Basic and specialist End-of-Life Nursing Education Consortium (ELNEC) resources will be available.
4. Advocate for additional education in academic programs and work settings related to palliative care, including symptom management, supported decision-making, and end-of-life care, focusing on patients and families.
Research
1. Increase the integration of evidence-based care across the dimensions of end-of-life care.
2. Develop best practices for quality care across the dimensions of end-of-life care, including the physical, psychological, spiritual, and interpersonal.
3. Support the use of evidence-based and ethical care, and support decision-making for care at the end of life.
4. Develop best practices to measure the quality and effectiveness of the counseling and interdisciplinary care patients and families receive regarding end-of-life decision-making and treatments.
5. Support research that examines the relationship of patient and family satisfaction and their utilization of health care resources in end-of-life care choices.
Administration
1. Promote work environments in which the standards for excellent care extend through the patient’s death and into post-death care for families.
2. Encourage facilities and institutions to support the clinical competence and professional development that will help nurses provide excellent, dignified, and compassionate end-of-life care.
3. Work toward a standard of palliative care available to patients and families from the time of diagnosis of a serious illness or a.
CHOICE TOPIC Pick a philosophical topic of your own choosing and re.docxbissacr
CHOICE TOPIC: Pick a philosophical topic of your own choosing and relay your own perspective on that topic giving as much evidence and supporting reasoning as possible.
The assignment should be standard font, double spaced, at least a page and a half with proper citations when appropriate.
.
Choice Hotels InternationalOverviewRead the case study, .docxbissacr
Choice Hotels International
Overview
Read the case study,
Choice Hotels International
.
Instructions
Write a fully developed paper in which you: DO NOT WRITE IN 1ST PERSON
Assess the two distinct networking functions.
Analyze the issues Choice is likely to experience as it expands its network to full global reach. Provide a rationale for your answer.
Critique Choice implementing free high-speed Internet access for all guests in its Clarion Hotels and Comfort Suites from the security point of view.
Use at least three quality resources in this assignment. Note: Wikipedia and similar websites do not qualify as quality resources.
.
Choice Theory- Is to choose to engage in delinquent and criminal beh.docxbissacr
Choice Theory- Is to choose to engage in delinquent and criminal behavior after weighing the consequences and benefits of their actions
Classical Criminology
People have free will to choose criminal or conventional behaviors, people choose to commit crime for reasons of greed or personal need, and crime can be controlled only by the fear of criminal sanctions.
1. In 1764, criminologist Cesare Beccaria wrote An Essay on Crimes and Punishments, which set forth classical criminological theory. He argued that the only justified rationale for laws and punishments was the principle of utility.
2. Beccaria believed the basis of society, as well as the origin of punishments and the right to punish, is the social contract. The only legitimate purpose of punishment is special deterrence and general deterrence.
3. Beccaria believed the best way to prevent and deter crime was to: • Enact laws that are clear, simple, and unbiased, and that reflect the consensus of the population. • Educate the public. • Eliminate corruption from the administration of justice. • Reward virtue.
4. Real-world drawbacks of Beccaria’s theory are: • Not all offenders are alike, juveniles are treated the same as adults. • Similar crimes are not always as similar as they might appear,first-time offenders are treated the same as repeat offenders.
I don't pay for cover pages
1 APA style page
12 pt font
I gave a breakdown of what the teacher is looking for
.
CHM130LLLab 2Measurements Accuracy and PrecisionName __.docxbissacr
CHM130LL
Lab 2
Measurements: Accuracy and Precision
Name : _____________________________
A. Data Tables
Data Table 1 (12 points)
Measurement
Data
(1) Length of aluminum plastic packet
(2) Height of aluminum plastic packet
(3) Temperature of faucet water
(3) Temperature of ice water
(5) Volume of water in 10-mL
graduated cylinder
(6) Volume of water in 50-mL
graduated cylinder
Data Table 2 (10 points)
Measurement
Data
(1) Inside diameter of 50-mL
graduated cylinder
(2) Height of 50-mL graduated cylinder
(3) Water temperature
(4) Initial volume of water in 50-mL
graduated cylinder
10.0 mL
(5) Mass of water in the 50-mL
graduated cylinder
10.0 g
(6) Volume of water and aluminum shot in 50-mL graduated cylinder
(7) Mass of aluminum shot (given on outside of packet)
B. Insert the picture of the plastic packet containing aluminum shots with student’s name and MEID (25 points)
C. Follow-Up Questions (Show all calculations for full credits)
Part I
1. Convert the length and height measurements for the packet that contains the aluminum shot from units of cm to units of mm using the unit-factor method. (10 points)
2. Convert the temperature measurements for the faucet water and the ice water from oC to oF, using the following equation: oF =1.8(oC) + 32. (10 points)
3. Convert the volumes of the water in the 10-mL and 50-mL graduated cylinders from mL to L, using the unit-factor method. (10 points)
4. Looking at your measurements for the volumes of water in the 10-mL and 50-mL graduated cylinders, are your values identical? Discuss at least two reasons why the measurements were not identical. (5 points)
Part II
5. Calculate the volume of the 50mL graduated cylinder using your measurements of diameter and height, using the formula V= πr2h (r=½ diameter). This is your experimental value. (10 points)
6. Assuming the accepted value of the volume of the graduated cylinder is 50.00 mL, calculate the percent error of your volume calculation, using the following formula and the experimental value calculated in question 5: (10 points)
Percent Error
=
|
accepted value - experimental value
accepted value
|
x
100
7. Calculate the mass of 10ml of water in the graduated cylinder using 1/5 the volume calculated in question 5, the density of water of 1.00 g/mL and this given the formula: (10 points)
Density
=
mass
volume
8. Using 10.0 g as the accepted value for the mass of the water, and the mass calculated in #7 above as the experimental value, calculate the percent error of your mass calculation, using the same formula as in #6 above. (10 points)
9. Calculate the volume of aluminum shot added to the graduated cylinder, using the information from Data Table 2 in the following formula: (10 points)
Volume of water and aluminum shot in 50-mL graduated cylinder(#6) – Initial volume of water in 50-mL graduated cylinder (#4) = volume of aluminum shot
10. Calculate the experimental value for density of the aluminum shot based on its mass (given on.
Chocolates by Jacki has provided information relating to its curre.docxbissacr
Chocolates by Jacki has provided information relating to its current year. The Controller has asked you to complete a First-Stage Allocation to Activity Cost Pools. Use the information included in the Excel Simulation and the Excel functions described below to complete the task.
· Cell Reference: Allows you to refer to data from another cell in the worksheet. From the Excel Simulation below, if in a blank cell, “=B7” was entered, the formula would output the result from cell B7, or 400,000 in this example.
· Absolute Reference: Allows you to maintain the original cell reference when a formula is copied to another cell. The cell reference is “locked” by putting a dollar sign ($) before the column and row references. By default a cell reference is relative, so when you copy a formula to another cell the values update based on a relative reference. For example, if you copy the formula “=B8+B9” from cell C1 to cell C2, the formula in cell C2 will relatively update to be “=B9+B10” since the copied formula moved down one cell, the formula cell references also moved down one cell. Conversely, by adding the absolute cell reference “locks” to the equation, the formula will not change when copied to any other cell. For example, “=$B$8+$B$9” written in cell C1 is copied to cell C2, the formula in cell C2 will remain “=$B$8+$B$9”. You can also use a mixed cell reference by only “locking” the column or row only ($B8 or B$8) which locks that specific column or row and the other reference becomes a relative reference and “moves” with the formula as its copied to another cell. For example, if you copy the formula “=B$8+B9” from cell C1 to cell C2, the formula in cell C2 will update to be “=B$8+B10” since the copied formula moved down one cell, the formula cell relative references also moved down one cell, but the absolute “locked” reference remained the same.
· Basic Math functions: Allows you to use the basic math symbols to perform mathematical functions. You can use the following keys: + (plus sign to add), - (minus sign to subtract), * (asterisk sign to multiply), and / (forward slash to divide). From the Excel Simulation below, if in a blank cell “=B18+B19” was entered, the formula would add the values from those cells and output the result, or 250,000 in this example. If using the other math symbols the result would output an appropriate answer for its function.
· SUM function: Allows you to refer to multiple cells and adds all the values. You can add individual cell references or ranges to utilize this function. From the Excel Simulation below, if in a blank cell “=SUM(B13,B14,B15)” was entered, the formula would output the result of adding those three separate cells, or 375,000 in this example. Similarly, if in a blank cell “=SUM(B13:B15)” was entered, the formula would output the same result of adding those cells, except they are expressed as a range in the formula, and the result would be 375,000 in this example.
Quest.
Chloe1a. This study uses qualitative meta-synthesis to take a.docxbissacr
Chloe
1a. This study uses qualitative meta-synthesis to take a holistic approach to innovation in information systems companies. The article stated that the researchers used qualitative meta-synthesis that analyzed over 370 different articles, journals or other written forums, which required a severe amount of time to read a review and correlate to each other to show a holistic approach. Some of the artifacts used were, “Fear of technological complexity”, “Data collection and processing tools”, and others in Table 1 (Lawrence, 2013).
1b. Information systems innovation is difficult. Not only just systems such as Facebook and Google but the backbone of systems that run corporations such as FedEx and UPS. Changing the users’ experience where it is not just easy to use, but functional has always been difficult such as when we think back to how clunky MySpace and AOL were. This article is about how cultures in information systems companies need mediation to generate innovation, which is directly applicable to how to generate innovative environments.
2a. This research focused on how social media could or could not enhance innovation. The researcher’s hypothesis was that a new connection + novel idea = innovation. In order to connect people, the researcher’s used social media due to its proclivity in today’s world. There were 31 owner-managers from the United Kingdom that signed up and 42 interviews that were conducted. The result of those interviews were over 500 pages of transcripts that required combing through, but first as binned by coding into nine different categories. Overall there was an extensive amount of qualitative research conducted is considerably larger than most qualitative studies.
2b. This article specifically applies to my topic of how to generate innovative environments because it takes a 21st-century approach to innovation, which is ironic, and assess how to use social media to generate innovative ideas. Though overall the discovery is that social media is a difficult platform to meet strangers, there is an avenue such as like type communities on social media that would work better.
References:
Lawrence, C. (2013). A Holistic Narrative of Culture’s Mediation of Information Systems Innovation: A
Qualitative Meta-Synthesis. Journal of Global Information Technology Management, 31–52.
Berne, D. F., Coda, R., Krakauer, P., & Donaire, D. (2019). The innovation challenge in micro and small enterprises
(MSE): An exploratory study at São Paulo metropolitan region. Studii de Ştiintă Şi Cultură, 15(4), 235–252. https://doi.org/10.1108/INMR-03-2019-0031
PAUL:
Part one:
Article one: The article chosen discusses how sales professionals perceive leadership. Interviews were conducted with both sales leaders and salespeople. What was found was that the salespeople overwhelmingly supported specific leadership traits that contributed to their overall performance. The four areas covered were coaching, collaborat.
Chinese railroad workers began to contribute to the Canadian railr.docxbissacr
Chinese railroad workers began to contribute to the Canadian railroad in 1800, but they paid a lot of labour and even life with low wages. Now, many bronze men in the Roger's Centre in Toronto are reminding people that many Chinese workers died while building the railroad, they were overworked and their salaries were low (China town concern group, 2016, para.1). However, these hard and lovely people have not received the respect they deserve in such a difficult situation. After they built the Canadian Pacific Railway, one of Canada's outstanding engineering projects, they were discriminatorily levied a head tax on Chinese workers. As the Frey (2017) suggests, the racist law imposed a "head tax" on Chinese immigrants from 1885 to 1923, acknowledging that the abuse of Chinese immigrants is a long process, and it is necessary to fight against historical inertia and racist laws (para.18). Over time, people's awareness of racism has increased, and they have begun to reflect on previous mistakes and modify some wrong regulations and measures. The websites show the unequal treatment and compensation of many Chinese railroad workers.
Reference
China town concern group. (2016, April 28). “Now and Then: Chinese Railroad Workers Memorial”. https://chinatownconcerngroup.wordpress.com/2016/05/13/now-and-then-chinese-railroad-workers-memorial/
Frey, W. (2017). Chinese workers integral in building Canada's first megaproject. Construct Connect. https://canada.constructconnect.com/Leaders2017/chinese-workers.html
.
CHIROPRACTIC & MANUAL THERAPIESClar et al. Chiropractic & .docxbissacr
CHIROPRACTIC & MANUAL THERAPIES
Clar et al. Chiropractic & Manual Therapies 2014, 22:12
http://www.chiromt.com/content/22/1/12
SYSTEMATIC REVIEW Open Access
Clinical effectiveness of manual therapy for the
management of musculoskeletal and non-
musculoskeletal conditions: systematic review
and update of UK evidence report
Christine Clar1, Alexander Tsertsvadze1, Rachel Court1, Gillian Lewando Hundt2, Aileen Clarke1 and Paul Sutcliffe1*
Abstract
Background: This systematic review updated and extended the “UK evidence report” by Bronfort et al. (Chiropr
Osteopath 18:3, 2010) with respect to conditions/interventions that received an ‘inconclusive’ or ‘negative’ evidence
rating or were not covered in the report.
Methods: A literature search of more than 10 general medical and specialised databases was conducted in August
2011 and updated in March 2013. Systematic reviews, primary comparative studies and qualitative studies of
patients with musculoskeletal or non-musculoskeletal conditions treated with manual therapy and reporting clinical
outcomes were included. Study quality was assessed using standardised instruments, studies were summarised, and
the results were compared against the evidence ratings of Bronfort. These were either confirmed, updated, or new
categories not assessed by Bronfort were added.
Results: 25,539 records were found; 178 new and additional studies were identified, of which 72 were systematic
reviews, 96 were randomised controlled trials, and 10 were non-randomised primary studies. Most ‘inconclusive’ or
‘moderate’ evidence ratings of the UK evidence report were confirmed. Evidence ratings changed in a positive
direction from inconclusive to moderate evidence ratings in only three cases (manipulation/mobilisation [with
exercise] for rotator cuff disorder; spinal mobilisation for cervicogenic headache; and mobilisation for
miscellaneous headache). In addition, evidence was identified on a large number of non-musculoskeletal conditions
not previously considered; most of this evidence was rated as inconclusive.
Conclusions: Overall, there was limited high quality evidence for the effectiveness of manual therapy. Most reviewed
evidence was of low to moderate quality and inconsistent due to substantial methodological and clinical diversity.
Areas requiring further research are highlighted.
Keywords: Clinical effectiveness, Manual therapy, Systematic review, Musculoskeletal, Bronfort
Background
Manual therapy is a non-surgical type of conservative
management that includes different skilled hands/fingers-
on techniques directed to the patient’s body (spine and
extremities) for the purpose of assessing, diagnosing,
and treating a variety of symptoms and conditions [1-4].
Manual therapy constitutes a wide variety of different
* Correspondence: [email protected]
1Populations, Evidence and Technologies, Division of Health Sciences,
Warwick Medical School, University of Warwick, Coventry CV4 7AL, England
Full list of author info.
Chinese Society 中国社会What are the social voices in China.docxbissacr
Chinese Society
中国社会
What are the social voices in China?
Tradition
Confucianism
Revolution
Communism, Maoism
Reform (Current)
Socialism with Chinese Characteristics?
Capitalism?
Deng Xiaoping Thought?
Harmonious Society (since 2005)
What are the components in Chinese society?
Danwei
Work unit
Guanxi
Connections
Family
One child, two childe
How has Chinese society changed?
Time
Space
Money
Commodification
Landscape
Self
Sex
What are the paths to success?
Mao’s China
Red- politics, White - education
Army, marriage
Deng’s China
Golden - business
To get rich is glorious
Redefining China’s Families
http://www.washingtonpost.com/wp-srv/world/interactives/chinafamilies/
How has the family in China changed?
Young and Restless in China
http://www.pbs.org/wgbh/pages/frontline/youngchina/
What are the lives of people like ?
Hutong Old Beijing
10
PSY 345: Social Psychology
McAuliff
Personal Application Paper
PERSONAL APPLICATION PAPER
In addition to reading and thinking about the concepts covered in the text, an important part of the
learning process includes applying these concepts to your own life and experiences. To facilitate
this process, a personal application paper must be uploaded on Moodle no later than 10am on
Monday, May 11. The paper should be typed (12 characters/inch font), three to five pages in
length, and double-spaced with one inch margins. Late papers will not be accepted and
students not turning in papers will receive a 0. The personal application paper will count
for 25% of your final grade.
For the paper, students should select one or two central topics discussed during the semester and
write about how the topic(s) is relevant to you and your life. For example, for the chapter on
prejudice, you might write about a time you directly or indirectly experienced some form of
prejudice. Alternatively, you could analyze a television commercial with an eye toward the material
covering the use of persuasion to increase compliance. Remember, this assignment is intended to
help you recognize how the material covered in class is personally relevant, as well as to
encourage you to think critically about the concepts presented instead of passively accepting them
as truths. Thus it is acceptable (and commendable) to include in your paper a discussion of the
reasons why you agree/disagree with what the author is saying. To reiterate, each paper must
have the following two components: a review (including proper citation) of the concept from the text
to be discussed; and second, your thoughts/feelings on this topic and a discussion of how it applies
to your life including whether you agree/disagree with what the author has said.
PSY 345: Social Psychology
McAuliff
Personal Application Paper Grading Form
_____ Introduction (2)
_____ Statement of interest (1)
_____ Explained (1)
_____ Description of Social Psychological Concept, Theory, or Research (.
China’s geography
中国地理
China’s physiography
Regional Geography
The same area as the U.S.
1.39 Billion People, 0.3% growth
90 percent live in the Eastern half
NORTHMandarinCoal; wheat;
Heavy industrySOUTHCantonesecotton; rice;
light industryWESTMinoritiesOil;
Agriculture
4
Figure 11-12
Title:
Landscape Regions of China
Caption:
The term China proper denotes the densely populated, culturally Han Chinese areas to the east of the blue line. The Yangtze Valley divides China proper into two general areas. Immediately to the north is the large fertile area of the North China Plain, bisected by the Huang He (or Yellow) River. To the west is the Loess Plateau, an upland area of soil derived from wind-deposited silt after the prehistoric glacial period, about 15,000 years ago.
China/USA
What are the characteristics of China’s territory?
Size of US 9,600,000 sq km
1.39 billion people
mid latitude
Continental
West dry, mountainous
East coastal humid
Vast in territory, rich in resources
Land is scarce, people are many
How do the mountains, rivers and basins combine in China?
Three tiers
SW mountains Tibetan Plateau >3000m
Himalayas, Kun Lun, Karakoram, Tian Shan
Basins and Plateaus 1000-3000m
Tarim Basin, Junggar Basin, Mongolian Plateau (Ordos),
Great Xingan, Chang Bai
Loess Plateau, Sichuan Basin, Yunnan Plateau
South China Hills (Wuyi)
Lowlands <500m
North China Plain, Northeast Plain, Deltas
Karakoram mountains
Tibetan plateau
Everest Chomolongma
Sichuan
Loess plateau
Guangdong
North China
South China
SW - Yunnan
Yellow River - West
Yellow River - East
Yangzi Basin
Yangzi River
Three Gorges Dam
Electrical power
Flood control?
Earthquake
Silt in lake
Aquatic habitat
2 million people moved
Physical environment
Climate
11_04.JPG
18
Figure 11-04
Title:
Flooding on the North China Plain
Caption:
Major flooding, sometimes inundating large sections of the North China Plain, has been a historical problem with the Huang He River. Severe droughts can also plague the same region. Extensive dikes have been built along much of the river to protect the countryside from flooding, as seen in this photo taken near the historical city of Kaifeng. (Yang Xiuyun/ChinaStock Photo Library)
11_05.JPG
19
Figure 11-05
Title:
Denuded Hillslopes in China
Caption:
Because of the need to clear forests for wood products and agricultural lands, China's mountain slopes have long been deforested. Without forest cover, soil erosion is a serious issue. (Bob Sacha/Corbis)
11_07.JPG
20
Figure 11-07
Title:
Coal-Fired Power Plant in China
Caption:
A coal-fired power plant emits large quantities of pollution in northwestern China. As China industrializes, it is building many such plants, damaging local air quality and contributing to global warming. (Natalie Behring/OnAsia.com)
Environmental Challenges
21
China’s population
中国人口
Current stats
http://www.prb.org/
Population Reference Bureau.
China’s reliance on coal epitomizes the central single energy .docxbissacr
China’s reliance on coal epitomizes the central “single energy dilemma” by being dependent upon oil heavily over the last decade. China became a net coal importer in 2009. They have multiple sources that supplies the country in proximity; specifically, Australia, Russia, and Indonesia to name a couple. China is the “second largest economy and destination of foreign direct investment” (Sarah Ladislaw, 2014). China due to the heavy growth must use more energy in order to support the growth. Another source stated that China also imported 5.4 million barrels per day of crude and 706 billion cubic feet of natural gas in 2012 alone. This contributes to the “single energy dilemma” because China seemingly is dependent on imported oils due to the amount of growth that they are experiencing.
In my personal assessment it is likely that China can move away from and off goal due to the development and interest in shale gas which is an alternative to coal. China used 10.7 million barrels of oil per day in 2013 which accounted for one third of global oil demand. Due to shale gas being developed China is rethinking their relationships with the Middle East and North Africa. Their dependence on Middle East supplies continues to grow so there needs to be another option for a country who grows ten percent per decade. There are other avenues other than the Middle East. For example, China has been looking into resources closer to home such as central Asian countries for oil. In conclusion China can move away from and off coal with the development of great relationships closer to home.
Sarah Ladislaw, M. L. (2014).
New Energy, New Geopolitics.
Bradshaw, M. (2013).
Global Energy Dilemmas.
.
chinese civilization essay question text 2-3 pages Cours.docxbissacr
chinese civilization essay question text
2-3 pages
Course Syllabus
Jump to Today
Chinese 10: Chinese Civilization
Instructor:
Dr. Jingyu Xue
Email:
[email protected]
Class Hours:
W 3:45-6:55 pm, Room R219
Office Hours:
before and after class, or by appointment
COURSE DESCRIPTION:
This course traces the development of Chinese civilization, one of the world’s oldest continuous civilizations, from Neolithic times down to the present. It covers the study of Chinese geography, philosophy, religion, political environment, social relations, family and gender roles, literature, art and drama. Classes will be a combination of lecture and discussion, and students are expected to participate in classroom discussion in order to better understand the rich heritage and full complexity of Chinese culture.
This class will be taught entirely in English. No prior knowledge of Chinese language or culture is required.
TEXTBOOK:
All required readings will be posted on Canvas.
Recommended textbook:
Ebrey, Patricia.
The Cambridge Illustrated History of China, 2nd
edition.
Cambridge: Cambridge University Press, 2010.
STUDENT LEARNING OUTCOMES:
After the completion of this course, students will be able to perform the following tasks:
Describe the major geographic features of China.
Describe the historical contributions of important people in Chinese history.
Explain at least two aspects of Chinese culture and aesthetic tradition.
Analyze various religious influences in China.
Compare/ contrast the differences between the Western and Chinese cultures in family, artistic, and philosophical values.
REQUIREMENTS:
Attendance is mandatory and factored into your participation grade. A student who arrives more than 10 minutes late or leaves more than 10 minutes early will be marked as half-absence. More than 1 unexcused absence will adversely affect your participation grade (10 points out of 100 will be subtracted for each absence). Any student who is absent 3 times in a row will be dropped from the class. An appropriate document is required for all excused absences.
All required readings will be posted on Canvas
. Students are expected to complete reading the assigned texts before coming to each class. It is very important to keep up with the weekly reading assignments and come to class with your textbooks and notes. By doing so, you will be better prepared to participate in class discussion
Active and informed participation in class discussion is required. The final grade can be raised or lowered a few points based on participation. Also, answers to all the exam questions will be addressed during class lectures and discussion. Please be sure to pay close attention and take careful notes. Please turn off all cell phones, pagers and other electronic devices during our class sessions.
Academic Honesty
. All written assignments must be original work put in an individual student’s own words. They can never be copied from another student,.
ChinaThe Third RevolutionXi Jinping and the New Chinese Sta.docxbissacr
China:
The Third Revolution
Xi Jinping and the New Chinese State
Elizabeth Economy
Elizabeth Economy, PhD
Council on Foreign Relations:
C. V. Starr senior fellow
Director for Asia studies
Hoover Institution of Stanford University
Visiting Fellow
She is an acclaimed author and expert on Chinese domestic and foreign policy, writing on topics ranging from China's environmental challenges to its role in global governance.
BA – Swarthmore; MA – Stanford; PhD – University of Michigan
Primary Theses
1. Xi Jinping has steered politics and economics towards repression, state control, and confrontation
Xi Jinping has used his power to reassert dominance of the Communist Party and of his own position within it
As part of the campaign against corruption, he has purged potential rivals
He has executed sweeping reorganization of the People’s Liberation Army to ensure loyalty of the military to the party and to him personally
Mr. Xi has imprisoned supporters of Western liberal reform and stamped out criticism of the party and government in the media and online
He has created a surveillance state to monitor discontent and deviance.
China increasingly controls business as an arm of state power
Made in China 2025 plan uses subsidies and protection to create world leadership in ten industries including aviation, tech & energy
Belt and Road Initiative subsidizes infrastructure development in Asia and Africa in return for Chinese trade agreements
c. Regional production chains or production networks are the mechanism by which China influences Asian economies and integrates itself with the global economy.
Enables higher degree of specialization and integration
Facilitates exploitation of scale and scope economies
Ideologically, Chinese path is captured in the “Chinese Dream”
The Third Revolution
The Rejuvenation of the Great Chinese Nation
Common Factors that Explain Takeoff
Openness to trade and investment – higher than rest of world
Strong Export Demand in advanced industrial economy
Increasing intra-regional trade
High Domestic Savings & Investment Rates
Strengthened physical and digital infrastructure
Improved quality of human capital
Active Government Involvement in Economy
Openness to trade
Share of Asian trade as % total world trade increasing at expense of European and Russian trade
North American trade relatively stable.
China: export partners in 2016, by export value
(in billion yuan)
United States
“…other than trade and FDI (foreign direct investment), regional production chains or production networks became a mechanism by which Asian economies tangibly influenced each other as well as integrated in a market-led manner. As barriers to the movement of goods, services and factors of production are dropped further, Asian economies would integrate more with each other as well as with the global economy.” Das, p. 13
Enables higher degree of specialization and integration
Facilitates .
Chinas first emperor, Qin, unified the different territories and st.docxbissacr
China's first emperor, Qin, unified the different territories and states into one empire. Discuss the importance of "standardization" (coins, stamps, language, etc.) in that unification.
Need at least two sources minimum and all sources need to be cited.
Minimum 300 words, maximum 500 words.
.
Chinas Great Wall Please respond to the following, using sources.docxbissacr
China's Great Wall" Please respond to the following, using sources under the Explore heading as the basis of your response:
Describe two (2) specific aspects about the Great Wall of China, such as facts about its size, length, purposes, varied materials, labor force, and its phases of construction. Consider the various purposes of such a wall and its impact for good or bad, and compare the Chinese wall in this respect to some specific wall of more modern times.
Compare and contrast the Great Wall of China with The Tomb and Terra Cotta Warriors of Qin Shihuangdi. Which is his greatest legacy?
Or, take the opposite approach and present the case that neither was Qin Shihuangdi’s greatest legacy.
Explore
China and Its Great Wall
•Chapter 7 (pp. 212-213, 220), early phases, (p. 605) later phase
•Explore wall interactively at http://www.panoramas.dk/7-wonders/great-wall.html
•Video at http://www.discovery.com/tv-shows/other-shows/videos/discovery-atlas-china-revealed-the-great-wall.htm
•UNESCO article at http://whc.unesco.org/en/list/438
•“China’s Wall Less Great in View from Space” article at http://www.nasa.gov/vision/space/workinginspace/great_wall.html
.
China1. Assess and include transcultural beliefs including l.docxbissacr
China
1. Assess and include transcultural beliefs including language, religious practices, socioeconomic status, end-of-life practices, dietary preferences, risky behaviors
2. Identify healthcare behaviors (i.e. nontraditional therapies)
3. Identify challenges and barriers to healthcare and outcomes related to these challenges
4. Develop an evidence-based plan that can be used to improve healthcare outcomes and access to healthcare (including use of IT systems, interdisciplinary members, etc.) for your selected culture. Provide supporting data from peer-reviewed articles
.
APA formatted, 2-page paper
Minimum of 3 references within 5 years
.
China, also known as the Peoples Republic of China or PRC, is a cou.docxbissacr
China, also known as the People's Republic of China or PRC, is a country located in the east of Asia. It is the largest Asian country and has the biggest population in the world at around 1.4 billion. Its ruling and founding political party is called the
Communist Party
wherein the head of state is the President, elected by the National People's Congress. He supervises the state council which consists of four vice premiers and the heads of ministries and commissions.
Although Human rights are exercised in this country, a sample of which is the freedom of speech, it is not freely implemented, since it is limited and firmly restricted by specific regulations and laws. This essay will tackle the restriction of freedom of speech in China.
Limited Freedom of Expression
Freedom of expression is the right to convey one’s opinions and thoughts without fear of being punished by the country's government. And although a lot of countries are exercising freedom of speech, some countries like China don't have this as one of their basic human rights.
As a sample, during the 2008 Summer Olympics, the Chinese government agreed to release permits allowing the people to protest in specific areas designed as protest parks in Beijing, but most of the applications sent to the government were either refused, banned or withheld and the police authorities even apprehended the people who applied for permits. If you are looking for essay examples, for example, a
freedom of speech persuasive essay
, it would impossible to find an essay that cites controversial issues. This is because access to web pages considered by the authorities of China as "threatening" or "risky" to the Communist Party are blocked on the internet.
On the brighter side, The Chinese government is spending huge amounts of money on catching and blocking not only web pages that advertise political change within the country, but also websites which may have violence and pornography. According to the Constitution of the People's Republic of China, Chinese citizens can enjoy the freedom of the press and freedom of speech.
However, these kinds of freedom are not institutionally protected. Public speeches that consist of forbidden subjects that can have a huge impact on the people could result in a penalty by the government, and that can include criminal sentences.
As a country ruled by
communism
, it does not accept any disapproval or protest from its people, and other parties defying the government and criticizing them are at risk of persecution. As a Chinese citizen, you are not allowed to freely use social media and have access to western news since it is also controlled by the government.
Other Restrictions
Aside from the government's restriction on freedom of speech, there are other limitations and regulations as well, such as on the administration of publishing and radio and television administration. According to the constitution regarding the administration of publication, .
china & USA ----Food curlture1 follow news story, and related curr.docxbissacr
china & USA ----Food curlture
1 follow news story, and related current events, for the entire semester, using diverse global news sources.
2 utilize diverse reference materials and peer reviewed academic journal articles across disciplines
3 present and explanation of research three times during the semester news report days.
NEWS report presentation rubric
outline
completion
format
detail
source list
cotent
accuracy&depth of research
connection to texts&class discussions
questions raised for further research
significant contribution to group
diverse sources
slant/bias considered or acknowledged
quality of sources
style
pace&volume
clarity
creativity
enthusiasm
.
A Free 200-Page eBook ~ Brain and Mind Exercise.pptxOH TEIK BIN
(A Free eBook comprising 3 Sets of Presentation of a selection of Puzzles, Brain Teasers and Thinking Problems to exercise both the mind and the Right and Left Brain. To help keep the mind and brain fit and healthy. Good for both the young and old alike.
Answers are given for all the puzzles and problems.)
With Metta,
Bro. Oh Teik Bin 🙏🤓🤔🥰
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
Andreas Schleicher presents PISA 2022 Volume III - Creative Thinking - 18 Jun...EduSkills OECD
Andreas Schleicher, Director of Education and Skills at the OECD presents at the launch of PISA 2022 Volume III - Creative Minds, Creative Schools on 18 June 2024.
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
Level 3 NCEA - NZ: A Nation In the Making 1872 - 1900 SML.pptHenry Hollis
The History of NZ 1870-1900.
Making of a Nation.
From the NZ Wars to Liberals,
Richard Seddon, George Grey,
Social Laboratory, New Zealand,
Confiscations, Kotahitanga, Kingitanga, Parliament, Suffrage, Repudiation, Economic Change, Agriculture, Gold Mining, Timber, Flax, Sheep, Dairying,
Elevate Your Nonprofit's Online Presence_ A Guide to Effective SEO Strategies...TechSoup
Whether you're new to SEO or looking to refine your existing strategies, this webinar will provide you with actionable insights and practical tips to elevate your nonprofit's online presence.
How to Manage Reception Report in Odoo 17Celine George
A business may deal with both sales and purchases occasionally. They buy things from vendors and then sell them to their customers. Such dealings can be confusing at times. Because multiple clients may inquire about the same product at the same time, after purchasing those products, customers must be assigned to them. Odoo has a tool called Reception Report that can be used to complete this assignment. By enabling this, a reception report comes automatically after confirming a receipt, from which we can assign products to orders.
A Visual Guide to 1 Samuel | A Tale of Two HeartsSteve Thomason
These slides walk through the story of 1 Samuel. Samuel is the last judge of Israel. The people reject God and want a king. Saul is anointed as the first king, but he is not a good king. David, the shepherd boy is anointed and Saul is envious of him. David shows honor while Saul continues to self destruct.
NIPER 2024 MEMORY BASED QUESTIONS.ANSWERS TO NIPER 2024 QUESTIONS.NIPER JEE 2...
Chapter 6. Mapping Business Challenges to Access ControlType.docx
1. Chapter 6. Mapping Business Challenges to Access Control
Types
IN THIS CHAPTER, YOU WILL TAKE what you have already
learned about access control and use it to design a
comprehensive access control system. All access control
systems are about solving problems and meeting business
needs.
First, we will review access control types. Next, we will
examine each step you should follow in designing an access
control system. Finally, we will discuss how access control
systems are used in the real world.
Chapter 6 Topics
This chapter covers the following topics and concepts:
How access control types apply to business challenges
How access controls can be used to solve business challenges
What some case studies and examples are
Chapter 6 Goals
When you complete this chapter, you will be able to:
Explain various access control types and map them to business
challenges
2. Create a comprehensive access control strategy to solve
business challenges
Mapping Business Challenges to Types of Control
The goal of any access control system is not simply to keep
people out, or to organize who has access to a particular
resource, but to meet a business need. In this chapter, you will
discover how to apply various access control methods
to solve a range of business challenges.
Business Continuity
PREV
TWO. Mitigating Risk with Access Control Systems,
Authenticati…⏮
NEXT
7. Human Nature and Organizational Behavior ⏮⏮
Infrastructure
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/home/
https://learning.oreilly.com/r/
https://learning.oreilly.com/playlists/
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch06.html
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch06.html
https://learning.oreilly.com/library/view/access-control-
3. authentication/9780763791285/pt02.html
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch07.html
https://learning.oreilly.com/subscribe/
Business continuity deals with worst-case scenarios. It
addresses how essential functions continue in the midst and
aftermath of a disaster. There are two sides to business
continuity: prevention and recovery. Access controls are used
primarily on the prevention side, but do have a role to play in
recovery as well.
NOTENOTE
A disaster is any major event that negatively impacts an
organization's ability to carry on business as usual,
including natural disasters such as earthquakes or tornados. It
can also include criminal activities such as
arson, robbery, and sabotage, or accidents such as a water main
break that floods key facilities.
DISASTER PREVENTION
When creating a business continuity plan, you should start by
brainstorming a list of "what-if" scenarios. Some
disasters cannot be prevented—an earthquake will happen,
regardless of whether you prepare for it or not. Others,
especially criminal activities and accidents, can be prevented or
minimized through careful planning and strong access
controls.
4. Consider this scenario involving criminal activity: Acme
Collections buys delinquent accounts from small and mid-
range businesses, then attempts to collect on those debts. It has
a reputation for being very effective at collecting bad
debts, and its top collection agents earn significant bonuses for
closing tough accounts, often through hard sell and
intimidation tactics.
One Wednesday afternoon, the power suddenly goes out. A few
minutes later, an individual with a gun enters the
office and demands to see the collection agent who has been
hounding him for the past several weeks. When he is told
the agent is out of the office, the individual holds 250
employees of Acme collections hostage for several hours and
eventually destroys the servers that store account records.
This traumatic event could have been prevented with strong
physical access controls. The criminal in this scenario
first cuts the power to the building, preventing the alarm system
from being triggered. This is an access control failure
that is often overlooked. Many facilities require ID badges and
even biometric scans to enter, but do not adequately
monitor and secure the power lines running to the building. An
individual wishing to create confusion and disable an
alarm system only needs to cut the power lines. This is a
dangerous activity, and can be deadly if not done properly,
5. but this will not stop someone who is determined to cause harm.
A more elaborate alarm system would also have been useful in
this scenario. Modern, monitored alarm systems
trigger automatically if the power goes out or the connection to
the alarm company is severed.
In addition to securing the power lines to the building and using
a monitored alarm system, Acme could have installed
doors that locked automatically. Because Acme does not have a
customer-facing front office and does not expect to
have members of the general public visit its offices, there is no
reason to leave the doors unlocked. Only the employees
who work in the offices have any reason to be there, and those
employees can be issued smart card ID badges to
unlock the doors.
Administrative policies and employee buy-in are important parts
of disaster prevention. Policies that prevent
piggybacking at facility doors are crucial, as well as policies to
handle lost or forgotten ID badges. Acme's employees
are only human; occasionally they will lose their ID badges.
Those badges must be deactivated as quickly as possible
to prevent someone from finding a badge and using it to gain
unauthorized access to Acme's offices.
When physical and administrative controls fail.
6. Physical security is not the only area where strong access
controls can prevent disaster. Consider another scenario—
this one much more common.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
A senior account manager at Acme Public Relations is called to
a closed-door meeting with her department head and a
representative from human resources. The account manager
believes she has been passed over for promotions and
bonuses unfairly, and to compensate has been embezzling funds
from the company for the past year. The department
head became aware of her activities and has been monitoring
her for the past three months, gathering evidence. In
this meeting, the account manager is given a choice: if she
leaves quietly, the company will not pursue a legal case
against her.
She agrees, and requests an hour to clean out her office. Her
department head agrees, and the account executive goes
back to her office and closes the door. She spends the next hour
deleting important files and data, downloading
viruses and spam bots from the Internet, and sending her clients'
7. contact information to her personal e-mail account.
Once she is gone, she contacts her former clients and informs
them that she has decided to open her own firm and will
offer them a significantly reduced rate if they will leave Acme
Public Relations. Many of her clients agree to send their
business to her new firm. The viruses she downloaded before
she left infected a large portion of the Acme network
before being detected and eliminated. The spam bots she
downloaded caused the company to be listed on several
spam blacklists, causing their legitimate e-mails to be classified
as spam.
This scenario illustrates a failure in both physical and
administrative access controls. While the account manager was
meeting with her department head and the representative from
human resources, someone in IT should have been
disabling her workstation and network accounts. This would
have prevented her from deleting data, infecting the
network with viruses and spam bots, and sending her clients'
contact information to her personal e-mail account.
Without that contact information, she would not have been able
to poach some of Acme's best clients, causing further
damage to Acme. Finally, she should not have been allowed to
return to her office unescorted. Once she was
terminated, she should not have been considered "authorized
8. personnel" and should have been treated as any other
visitor.
DISASTER RECOVERY
Access controls are not only important in preventing disasters;
they are also crucial in the aftermath. In a natural
disaster, key personnel may not be immediately available.
Rather than leaving mission-critical systems unavailable
until a system administrator can return to the office, procedures
should be in place to allow anyone to perform the
basic tasks necessary to bring servers back online and restore
essential business functions.
Let's look at a disaster recovery scenario: On Monday at 2 a.m.,
an electrical fire breaks out in the basement of the
Acme Financial Services' office building. Acme is a midsized
investment and portfolio management company. As soon
as the fire is out, Acme's chief executive officer (CEO) and
chief operations officer (COO) make their way downtown to
survey the damage. Much of the building had been damaged in
the fire, and emergency personnel remain in the area,
preventing anyone from entering the building until it can be
inspected and are deemed structurally sound.
Because the entire building is without power, the COO knows
that the company's customer-facing Web site, which is
9. hosted on servers located onsite, must be down. Employees will
not be allowed to enter when they come in to work
later that morning. The COO's primary goals in this situation
are to reassure customers that Acme is handling the
situation and will be available to meet their needs as quickly as
possible, and to arrange for alternative facilities so that
employees can do their jobs in the days or weeks ahead as the
damage is repaired.
First, the COO must get the Web site running on an alternate
Web server offsite. To do this, he needs the account
information for the company's hosted offsite backup account.
Because he normally does not deal with backups as part
of his job, he does not have access to this account. Instead, he
must call the systems administrator to obtain access to
the backup account and have those files restored to an offsite
Web server. He posts a message on the Web site
informing customers of the situation and assuring them that
business will resume as quickly as possible.
Next, he must inform employees of the situation and give
instructions on where to report to work later that morning.
Unfortunately, the company directory is located on the intranet,
which is also hosted onsite and is currently down. He
eventually resorts to publishing a brief notice to TV and radio
news outlets, informing employees of the disaster and
10. advising them to wait to hear from their department head for
further instructions.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
In this scenario, a difficult situation was made more chaotic
because crucial information was not available when and
where it was needed. First, the COO did not have access to the
offsite backup account. Normally, this makes sense
under the need-to-know principle. Because managing backups is
not one of the COO's job functions, he doesn't need
to know the account number, username, or password to that
account. However, in a disaster situation, an organization
needs to have a way to quickly authorize first responders to
access crucial information. In the scenario described here,
all it took was a quick phone call to a systems administrator
who recognized the COO's voice. In a larger organization,
this would not have been a practical solution.
On the other hand, this scenario could have been nothing more
than a social engineering ploy designed to con the
systems administrator into giving up sensitive account
information. To counteract this possibility, key personnel, such
as systems administrators and department heads, should be
11. trained in disaster recovery procedures, so they know
what to expect and can quickly spot any anomaly in the
procedure that might signal a social engineering ploy.
To compound the problem, the COO did not have the company
directory at hand to pass along information and
instructions to various department heads in a timely manner.
Hard copies of a company directory, especially if that
directory includes employees' home or cell phone numbers,
should not be widely distributed, but that information
must be available to first responders in an emergency situation.
A good solution and access control method for this issue would
be to program the contact numbers of key personnel,
such as the systems administrator, in a company cell phone,
which would be kept by a member of senior management
like the COO or an official emergency coordinator. This way,
only the cell phone number is made public, and sensitive
information—the home phone numbers of key personnel—is
kept private.
The existence of an emergency cell phone also helps prevent
social engineering attacks. If someone calls a systems
administrator's home phone number claiming to be the COO or
the official emergency coordinator, he or she can
check the caller ID to ensure the call originated from the
company's emergency cell phone.
12. CUSTOMER ACCESS TO DATA
The advent of the Internet has made it easy for customers to
order merchandise online, view their order history, track
packages, and update their own customer records.
Unfortunately, this freedom brings a host of access control
challenges. Customers should be able to view their own
information but not that of other customers, for example. To
meet this need, an access control system must be able to
accommodate three key specifications:
Allow customers to create and update their own account
information
Allow customers to create orders
Deny access to any information not directly associated with that
customer
The key access control method here is a typical username and
password combination. A Web site visitor who has not
logged in should not be allowed to view anything but the
public-facing portions of a company's Web site. If the visitor
wants to place an order, they will need to create an account.
This process generates a row in the customer database
keyed to the customer's username or customer ID. This unique
key will also be used to identify rows in the order
database that are affiliated with that customer. Keying rows in
13. the order database on customer ID or username will
prevent the system from inadvertently displaying customer B's
order history to customer A. This system is only as
secure as the passwords customers create.
Consider this scenario: Acme Library Supply, a major supplier
of books to school libraries, created a secure ordering
Web site for its customers. Acme does not sell to the general
public because it carries books at a steep discount for
library use, and is not set up to collect sales tax because
libraries are exempt. Most of Acme's customers are located in
North America, although Acme did supply books to a few South
American and European schools.
An operations manager at Acme noticed that her department had
been fulfilling a large number of orders for a specific
South American customer. She contacted a member of the
systems team, concerned that the orders were being faked.
A check of the log files showed that the orders were coming
from a large number of Internet Protocol (IP) addressesFind
answers on the fly, or master something new. Subscribe today.
See pricing options.
https://learning.oreilly.com/subscribe/
across Brazil, Venezuela, and Peru. The systems administrator
did a Google search for the affected customer's
14. username and found he had posted his username and password
on a Web forum, inviting people to use his account to
order books. When the books arrived, the customer would
forward them to the appropriate parties.
There was nothing wrong with Acme's access control system. It
worked perfectly. The access control weakness was the
customer who publicly shared his authentication information.
The scenario emphasizes the point that it's not enough to create
a strong logical or physical access control system and
forget about it. Employees must be trained to recognize and
report anomalies that may suggest an access control
failure.
MAINTAIN COMPETITIVE ADVANTAGE
In a competitive marketplace, information can be a key
advantage point. Trade secrets, product specifications, and
business methods are all resources to be leveraged. However, if
the competition also has access to the same
information, the value of the information is considerably lower.
Keeping secret information out of the hands of the
competition is clearly an access control problem that requires
several layers of defense:
Need to know and least privilege—Only those employees with a
legitimate need should have access to
15. sensitive information such as trade secrets and product
formulations. The more people who know and have access
to this information, the higher the likelihood that it will be
intentionally or accidentally divulged.
Technological access controls—Strong password policies should
be enforced using scripts that reject weak
passwords. Intrusion detection systems and firewalls should be
in place to protect information stored on network
resources.
Physical security—Key facilities such as server rooms and data
warehouses should be locked at all times.
Visitors should be escorted to and from their destinations.
Administrative policies—Policies should be in place to handle
lost or stolen ID badges, acceptable use of
computers and other resources, and other potential security
risks.
Employee training—Employees should be trained to recognize
social engineering tactics and know how to
handle those situations. They should also be periodically re-
trained in security policies and best practices.
Taking these steps will minimize the risk of corporate espionage
or accidental sharing of secret information that could
lead to a loss of competitive advantage.
16. Risk and Risk Mitigation
As you recall from Chapter 2, there are four ways to handle
risk:
Risk avoidance
Risk acceptance
Risk transference
Risk mitigation
Each of these methods has its benefits as well as some
drawbacks. Choosing the correct method depends upon the
specific situation and goals of the organization.
RISK AVOIDANCE
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch02.html
https://learning.oreilly.com/subscribe/
Risk avoidance is choosing to avoid an activity that carries
some element of risk. For example, you may choose not to
take your vacation in an active war zone, regardless of how
much natural beauty may be found in that part of the
world. Risk avoidance always carries with it some aspect of
loss. In the vacation example, you lose the chance to
17. experience the natural beauty that exists in that area, but you
avoid the risk of being harmed. In this case, the risk to
be avoided—possible injury or worse—is more pressing than the
missed opportunity—seeing the natural beauty in a
certain part of the world.
Risk avoidance is not always the best answer to a problem.
Doing business in the healthcare industry carries a certain
level of legal risk due to federal regulation. If your business
does not comply with regulations, you could face fines or
even prison time. However, if you choose not to do business in
that industry, you lose out on the potential profits of a
multi-billion dollar industry. In this case, avoidance is not the
answer.
RISK ACCEPTANCE
Risk acceptance is simply accepting the risks and doing what
you need to do anyway. Firefighters, police officers,
military personnel, and other individuals in high-risk
occupations do this every day. A fire fighter knows that she
risks
her life every time she responds to an emergency call. She could
choose to stay behind at the fire house, but she knows
that her skills are needed and that her efforts may save lives.
She accepts the risk to her personal safety in order to
fulfill a greater good.
18. NOTENOTE
Businesses must accept any risk they cannot avoid, transfer, or
mitigate.
RISK TRANSFERENCE
Risk transference is shifting responsibility for a risk to a third
party. This is a tricky subject because sometimes risk
transference makes sense and other times it is simply a way of
institutionalizing the scapegoat.
Purchasing health insurance is one way of transferring risk.
Consider the following scenario: A woman slips on the ice
on her driveway and loses consciousness. She is rushed to the
emergency room where the doctors perform an MRI
exam and diagnose her with a serious concussion. She goes
home several hours later with a prescription for painkillers
and instructions to rest.
Without health insurance—a method of risk transference—this
event would have cost the woman several thousand
dollars in hospital and physician fees. These fees would have
caused her serious financial hardship. However, because
she had health insurance, she paid only a small co-pay fee. The
risk of a major medical expense was transferred to the
insurance company. In this situation, risk transference makes
sense.
19. Not all risk transference situations are as effective. Consider the
case of a small medical practice. Because it operates
in the healthcare industry, it is subject to HIPAA regulation, as
discussed in Chapter 4. A small business, the medical
practice is without the resources to manage compliance itself,
so it hires a third-party compliance firm. Unfortunately,
the compliance firm cuts corners and the medical practice
discovers the problem during an official audit.
The compliance firm is contractually responsible for the
medical practice's non-compliance, but the officers of the
medical practice are still held personally responsible for
bringing the practice back into compliance and paying any
fines associated with their non-compliance. The medical
practice could sue the compliance firm for financial losses,
but the suit would likely drain the practice of funds necessary to
continue doing business.
In this case, while the risk of non-compliance was contractually
transferred from the medical practice to the
compliance firm, in the end the medical practice was still
penalized and held responsible for the actions of its
contracted compliance firm.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/library/view/access-control-
20. authentication/9780763791285/ch04.html
https://learning.oreilly.com/subscribe/
RISK MITIGATION
Risk mitigation is a strategy that combines attempts to minimize
the probability and consequences of a risk situation.
Access control is an example of risk mitigation. It attempts to
minimize the probability of a risk situation by denying
unauthorized users access to resources. It also minimizes the
consequences of a breach by isolating one user's data
from data owned by other users.
For example, the CEO of Acme Devices receives phone calls
from several board members who are concerned about an
article that was published in the Wall Street Journal, giving
detailed specifications for the company's newest high-
tech product. He believes the information must have come from
an internal source, and upon investigation finds out
that the Research and Development folder on the network is
accessible to all employees. Any one of them could have
been the source for the Wall Street Journal article.
Had this proprietary information been properly secured with
strong access controls, only the engineers within the
research and development (R&D) department—those who had a
legitimate need for the information—would have had
21. access to the product specification documents. Restricting
access to employees within the R&D department would not,
by itself, prevent the information leak, but it would minimize
the opportunity. The reporter from the Wall Street
Journal would have had to contact a member of a specific
department, reducing the number of leak opportunities
from several thousand—the total number of employees of Acme
Devices—down to a few dozen—the number of
employees in the R&D department.
Access controls are not the only answer to risk and risk
mitigation, but they are an important part of the solution.
Differences To Keep in MindDifferences To Keep in Mind
As you recall from Chapter 2, there are significant differences
between threats, risks, and vulnerabilities:
A "vulnerability" is any weakness in a system that can be
exploited.
A "threat" is a potential attack upon a system.
"Risk" occurs when a particular threat will exploit a
vulnerability. The degree of risk is measured in terms
of probability and impact.
Threats and Threat Mitigation
Any organization faces certain types of threats to its IT
infrastructure. The goal of access control is to mitigate those
22. threats as much as possible.
There are three main threat categories that you need to be
concerned with:
Information confidentiality—Ensuring that private or sensitive
information is not disclosed to unauthorized
individuals
Information integrity—Ensuring that data has not been modified
without authorization
Information availability—Ensuring that information is available
to authorized users when they need it
A good access control system will guard against all three
primary threat categories. It will restrict access to sensitive
information to authorized users and deny access to anyone else.
It will provide an audit trail to prove that
unauthorized individuals have not altered data. Finally, it will
prevent unauthorized users from destroying data or
launching denial of service (DoS) attacks, making data
unavailable to authorized users.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch02.html
https://learning.oreilly.com/subscribe/
23. For example, consider the Acme Aeronautics Company. It
designs experimental aircraft, primarily for military use. Its
design specifications are considered highly sensitive. If those
specifications were to be divulged to the wrong people,
at best Acme could lose its biggest customer to a competitor
that could produce the same technology less expensively
(having not invested millions in research and development). At
worst, enemy nations could use those specifications to
design weapons systems to exploit the weaknesses of those
aircraft.
Any access control system designed to protect those
specifications documents must account for all three threat
categories:
It must ensure that information is not disclosed, either
accidentally or intentionally, to unauthorized individuals.
This is the primary purpose of the access control system, and
where the majority of resources are devoted. To
accomplish this goal, a two-stage authentication system is
implemented, which requires individuals to use a
challenge-response token in order to access the login screen for
the file server that stores specification documents.
It must ensure the integrity of the information. If design
specification documents are changed even slightly, the
planes that are built from those specifications could
24. catastrophically fail. To meet this goal, the documents are
placed under version control that notifies the entire project
team, as well as departmental management, any time
a key document is changed. This ensures that an official
document cannot be changed outside of the approved
workflow.
It must ensure that the data is available to authorized users.
Physical access controls on the data center are the
primary method for meeting this goal. If the data center is
compromised, the data stored there could be stolen or
destroyed. Security guards, biometric scanners, and smart card
ID badges work together to maintain physical
security on the data center.
Vulnerabilities and Vulnerability Management
A vulnerability is a weakness in a system that can be exploited.
Every system has vulnerabilities, so a good access
control system must manage those vulnerabilities to minimize
the risk of exploitation. The most common
vulnerability categories you will need to manage are:
Operating system—All operating systems are vulnerable to a
variety of threats including viruses and other
malware, unauthorized access, and overflow attacks. As new
attack vectors are discovered, operating system
25. manufacturers release patches to harden their software. Keeping
the operating system up to date is the most
important thing you can do to manage vulnerabilities in the
operating system.
Applications—Applications can introduce vulnerability into a
system either through design flaws in the
application itself or through bugs in the programming language
used to code the application. Thorough testing
and patching is the only way to manage this vulnerability, as
you will probably not have complete control over the
application design process. Even if all of your applications are
coded in house, you will not have control over the
design of the programming languages you use.
Users—Users are primarily vulnerable to social engineering
tactics and insecure password practices, as covered in
earlier chapters. Training and policy mandates are the best way
to manage user vulnerabilities.
TIPTIP
The best way to manage vulnerabilities using access controls is
by running applications as their own,
unprivileged user. This way even if an application does have a
vulnerability that is exploited, the damage is
limited.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
26. https://learning.oreilly.com/subscribe/
Consider a shared Web hosting firm. It has dozens of clients,
each running various applications on their Web sites.
The Web sites are hosted on a few shared servers.
Unfortunately, one of those clients installs an unsecure message
board on one of the shared servers. Through the message board
application, attackers are able to gain access to the
client's Web hosting account, and then the administrative tools
of the shared server. The attackers deface every Web
site hosted by the shared Web server. They also install a
backdoor and dozens of spam bots on the shared Web server.
The server administrator learns of this problem when his
customers call him asking why their Web sites have been
taken down and replaced with a defacement page. It takes the
administrator several days to completely remove the
artifacts left by the attacker, and to have his clients' Web sites
removed from the spam blacklists.
If this shared Web server had better access controls, the attack
still might have happened, but the effects would have
been limited to a single client instead of the entire server. The
message board application should have been run as an
unprivileged user instead of under the client's user account, and
each client should have been strictly segregated from
27. the others.
Solving Business Challenges with Access Control Strategies
The key to applying access controls to solving business
challenges is in taking a systematic approach to designing a
comprehensive strategy. As you consider each element of access
control, you will begin to see how various strategies
interrelate to form a multilayered security system.
The first step in creating a comprehensive access control
strategy is to define your subjects and objects.
NOTENOTE
Remember, a "subject" is anything that acts upon another entity.
An "object" is anything that is passively acted
upon by a subject.
The most common subjects are:
Users—They are generally the individuals who need access to
resources. In some cases, applications can also have
user accounts. The most common example of this scenario is a
Web server application that is typically run under
the "nobody" user account.
Applications—Applications often access the file system directly
by reading or writing files, make database
connections, and utilize the mail system on a server. These are
all access control requests to be managed securely.
Network devices—A proxy on one network will often request
28. access to resources on another network, on behalf
of a user or application on its own network. The proxy is, in
effect, making an access control request, and is
therefore acting as a subject.
Your infrastructure may have other subjects. These are simply
the most common types of subjects. Once you have
defined all the subjects in your infrastructure, you can begin to
categorize them into groups and roles.
Groups are useful because they allow you to generalize the
access privileges needed by several subjects. They also
allow you to create specialized combinations of privileges by
adding a subject to two or more groups. To remove
certain access privileges, you would simply remove the subject
from one or more groups.
Roles also allow you to generalize, and separate a subject's
function from its identity. For example, Bob Smith may
hold the role of user on his workstation most of the time, and
the role of administrator only when he needs to install a
new application. Rather than assigning administrative rights to
Bob's user account when he only needs those rights
occasionally, he will have access to two separate role-based
accounts.Find answers on the fly, or master something new.
Subscribe today. See pricing options.
https://learning.oreilly.com/subscribe/
29. Once you have defined your subjects, you will need to similarly
define your objects, or the data and resources in your
infrastructure. This list of objects should contain every
significant asset, as well as notes about the asset's worth and
value to the organization.
Employees with Access to Systems and Data
Even non-sensitive data should be stored under some level of
access control. For example, the company newsletter is
available to every employee, but should not be available to the
general public. As soon as you limit access to data or
resources, you have an access control scenario. Some employees
will have no need to access IT systems and data. The
custodians and groundskeepers, for example, will probably not
need access to the network or the data stored there.
They may, however, need access to the automated time clock
system or the maintenance schedules stored on the
company intranet. Whether certain employees require access to
IT resources depends upon the individual
organization and its business processes.
WHO NEEDS ACCESS TO WHICH RESOURCES?
When creating an access control strategy, the main question to
ask is "Who needs access to what?" If a user does not
30. have a legitimate need to access data or resources, they should
not be granted access. If they do need access at some
point in the future, their access privileges can be modified then.
Do not be tempted to assign high levels of access to a
user simply based upon his or her status within the organization.
Chances are the executive vice president of
accounting does not actually need administrative rights to the
Web server. Assigning those rights to that user would
represent a significant vulnerability in the access control system
because it is unlikely that the executive vice president
of accounting has the technical knowledge and background to
safely administer the Web server.
CREATING GROUPS AND ROLES
When deciding which users need access to resources, try to
think in terms of roles or job functions, rather than
individuals. Individuals may leave the company at any time, and
some other individual will be found to take over their
roles. As discussed above, an individual may hold several roles
depending upon the task at hand.
Groups and roles also simplify the task of administering
permissions. Take the scenario of an employee who transfers
from one department to another. Rather than individually
auditing the employee's permissions, the systems
administrator simply needs to remove the employee from the old
31. department's group and add them to the new
department's group.
EXTERNAL ACCESS TO SYSTEMS AND DATA
Finally, determine whether any external subjects will have
access to internal systems and data. An external subject is
anyone who is outside the organization's physical and network
boundaries. Why would someone outside the
organization need access to internal systems and data? The
following is a list of common external subjects who have a
legitimate need to access internal resources:
Third-party vendors and application service providers (ASP)
External contractors
Employees with remote access
Each of these subjects needs some of the same rights and access
to resources as an internal employee, and like
internals, they should be restricted to the lowest level of
privilege needed to perform necessary tasks. Employees who
work remotely are a special case here, because they are both
internal and external. They are employees, but access
resources from outside the organization's network and physical
boundaries. The primary access control challenge with
remote workers is that of creating a virtual private network
32. (VPN) and ensuring that sensitive data is not
compromised due to a lack of infrastructure security at the
employee's location, which could be their home, a coffee
shop, or some other public place.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
Once you have determined who should have access to resources
in general, you can go further and consider which
employees should have access to sensitive systems and data.
Employees with Access to Sensitive Systems and Data
At this point, you already have a comprehensive list of objects.
Now you should go back over that list and note which
of those objects should be considered sensitive. Consider that a
variety of factors may make a given system or data set
sensitive:
Regulatory compliance
Privacy—either for customers or employees
Business continuity
Competitive advantage
Any system or data resource that, if it were lost, stolen,
damaged, altered, or publicly divulged, would cause a
33. significant negative impact to the organization should be
considered sensitive.
Administrative Strategies
Once you know what subjects to account for and which objects
to protect with access controls, you can devise
administrative strategies to support access controls. There are
two issues to consider when defining administrative
access control strategies around new and expiring accounts:
How will new accounts be created and new access levels be
granted?
How will accounts be removed and access levels be lowered?
New employees and employees who take on additional job
functions may need new accounts. Employees who are
given temporary responsibilities may need higher access levels
for the duration of their increased responsibility.
Normally, a manager fills out an account request form, which
explains what access is needed and what business need
this access will fill. The form should also specify whether the
new account or heightened access is temporary (and
when it will expire) or permanent. The manager submits the
form to the security team who reviews the request and
either approves or denies it. Once the request is approved, it is
forwarded to a member of the accounts team to
34. actually create the account or modify the user's access level.
Access levels that were granted temporarily should be lowered
as soon as the need for heightened access is no longer
present, and accounts for employees who leave the company
should be removed immediately.
The workflow to remove or downgrade accounts is similar to
that described for creating accounts. A manager fills out
an account request form, submits it to the security team, who
forwards it to the accounts team. When an employee is
terminated or leaves the company, his or her accounts should be
locked immediately.
Keep in mind that the goal of these administrative strategies is
to minimize the human error inherent in any access
control strategy.
Technical Strategies
The technical aspect of an access control strategy may include
some or all of the following techniques:
Discretionary access control (DAC)—Access control system
where rights are assigned by the owner of the
resource in questionFind answers on the fly, or master
something new. Subscribe today. See pricing options.
https://learning.oreilly.com/subscribe/
Mandatory access control (MAC)—Access control system where
35. rights are assigned by a central authority
Role-based access control (RBAC)—Access control system
rights are assigned based on a user's role (as
discussed earlier in the chapter) rather than his or her identity
Automated account review—All accounts should be reviewed
periodically to ensure that they still need the
access to resources and privileges they currently hold. As job
functions change and evolve, so do their access
needs. An automated system cannot replace human knowledge
of business processes and the resources those
processes require, but it can determine which access rights have
not been used recently. Unused rights are a
vulnerability in any system.
Automated expiration of temporary access—When accounts are
created for temporary employees or access
levels are temporarily raised, those accounts should be
downgraded or removed promptly. Automated expirations
are an easy way to ensure that a temporary account is not
forgotten and left sitting around on the system, just
waiting to be exploited.
Every organization has unique business challenges, so there is
no one-size-fits-all technical access control strategy.
Use the methods and techniques that make sense for your
36. situation.
Separation of Responsibilities
The principle of separation of responsibilities is designed to
ensure that if an attacker compromises one account,
he or she will be denied access to highly sensitive information
because it is protected by two separate conditions. Both
conditions must be met in order to access to be granted. If one
condition is met but not the other, access is denied.
Separation of responsibilities is a strategy that is used
extensively in many areas:
NOTENOTE
The terms "separation of duties" and "segregation of duties" are
synonymous with "separation of
responsibilities."
Accounting department employees usually do not have the
ability to create new vendors and cut checks. This
policy exists to prevent a single employee from creating a fake
vendor, then creating checks made out to the fake
vendor. It will take at least two employees working in tandem to
embezzle this way. The two conditions that must
be met to pay a new vendor are executed by two separate
employees: one to create a vendor and one to cut checks.
Safe deposit boxes usually have two keys that are kept
physically separate. Both keys must be present to open the
box.
37. Missile launch procedures require two military officers of
sufficient rank to give the correct command and turn
launch keys in order to arm a missile launch system. A single
officer is not sufficient, as this would place too much
power in the hands of a single individual.
In access control systems, separation of responsibilities has two
aspects: compartmentalization and dual conditions.
Compartmentalization is the practice of keeping sensitive
functions separate from non-sensitive ones. In practice,
this is implemented by isolating programs running under one
user account from other users. Dual conditions are most
often implemented through two-stage authentication methods,
which require both a biometric scan and a password,
or a token device and a password to grant access.
Least Privilege
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
The principle of least privilege is based on the idea that a
subject—whether a user, application, or other entity—
should be given the minimum level of rights necessary to
perform their legitimate functions. The purpose of this
38. principle is that if an account is compromised, an attacker will
have a minimal set of privileges and will not be able to
use the compromised account to do real damage to the entire
system.
In practice, the principle of least privilege is usually
implemented as least user access (LUA), which requires that
users commonly log onto workstations under limited user
accounts. Administrative accounts should be reserved for
administrators, and then only used when performing
administrative tasks.
RISKS ASSOCIATED WITH USERS HAVING
ADMINISTRATIVE RIGHTS
On a server, having an administrator logged into a privileged
account can create an opportunity for an attacker to
hijack the administrative session.
NOTENOTE
On Windows servers, the administrator account is called
Administrator. On UNIX and Linux servers, the
administrator account is called root.
If an administrator regularly logs into the server using the
administrative account to perform routine tasks, the
window of opportunity is larger than if that account is only
activated for specific tasks and promptly logged off.
Workstations are not usually connected directly to the Internet,
as a server is, so the risk is much lower that an
39. attacker will attempt to hijack the administrator account. On a
workstation, the major risks to allowing users to log
onto the administrator account for routine tasks are malware and
misconfigurations.
Malware, such as viruses, Trojan horses, and spyware, usually
require administrative privileges to install them, just
as any other application does. If a user is logged in as
administrator on his or her workstation, the chances of infection
by any given piece of malware is greater.
The risk of misconfigurations is based on the fact that many
users are not experts in computer maintenance and
configuration. If users without sufficient knowledge attempt to
change their firewall settings because they read a blog
post or heard someone talking about the latest virus, they are
likely to do more harm than good.
COMMON ROLES
There are three common roles on any system, either workstation
or server: administrator, user, and guest. Many
systems have other customized roles as well, but the ones
discussed here are the ones you will find on any system.
Administrator.
The administrator, or root user, has the ability to perform most
tasks on a system. At a minimum, the administrator
40. can:
Create user accounts and assign privileges.
Install software and devices.
Perform low-level system maintenance tasks, such as registry
maintenance, start and stop services, install drivers,
and manage log files.
This is by no means an exhaustive list of the tasks an
administrator can perform. These are simply the primary
categories of tasks for an administrator.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
NOTENOTE
Some user accounts are limited to a subset of the applications
installed on a computer. It does not make
sense to enable a user account to run the user-creation
application because that is an administrative task.
User.
There will usually be more than one user account on any given
system. Some user accounts are tied to individuals,
while others are used by applications. In general, a user account
can:
41. View the status of services, drivers, processes, and so on.
Run programs.
View log files.
Make limited changes to registry entries.
Add, modify, and delete data and files owned by that user.
This is the most common type of account, and may be further
defined into specific types of users with more granular
privileges.
Guest.
Some systems will have a guest or anonymous account. Others
will have this account disabled or removed. The guest
account is a severely limited version of a user account that is
enabled to run only specified programs and view specific
data. On a system without a clear need for a guest account, it
should be disabled or removed. An attacker could
potentially use the guest account to attack the more privileged
accounts on the system.
Need to Know
Users should be given access to the minimum amount and
sensitivity levels of data and resources necessary to
perform essential functions. If a user does not need to know the
Social Security number of a client in order to do his or
42. her job, he or she should not be given access to that
information.
WARNINGWARNING
In practice, it is rare—and a bad idea—for an authentication
system to query a database with a plain-text
password. More likely, the system will query the database with
the results of a password hash equation.
There are three basic levels of need for information:
Existence of information—At this level, the subject only needs
to know whether or not a certain piece of
information exists, or if it matches a predefined pattern.
Username and password authentication systems are a
good example of this level of need.
FYIFYI
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
When users enter their usernames in an authentication system,
the system sends a request to the
database: "Does a record with the supplied username exist?" If
the record exists, the database returns the
Boolean result TRUE. If the record does not exist, the database
returns FALSE. Likewise, when users
enter their passwords, the system sends another request to the
database: "Does the password in the
database record keyed on the supplied username match the user
43. supplied password?" Again, the
database will return a Boolean result, either TRUE or FALSE.
The authentication system does not need to
know what the password associated with a user record is; it
simply needs to know if the user-supplied
password matches what is stored in the database.
View partial information—This is the most common level of
need. Most users will need to know some
sensitive information, but not all. For example, an office
manager preparing a letter to be sent to a firm's entire
client list will need to know the clients' directory information—
names and addresses—but will not need those
clients' Social Security or account numbers. Another employee
in the accounting department may need clients'
account numbers but not their directory information.
View full record—The need for this level of access is rare, and
should only be granted to those who cannot
perform their job functions with partial access to information.
In all cases, the need to know principle dictates that users only
be granted access to the information they actually
need, and no more.
Input/Output Controls
Input and output controls dictate a user's ability to interact with
devices and data. The guiding principle for input and
output controls is the same as everything else: users should
44. have the least access possible to perform their job
functions.
INPUT CONTROLS
Input controls dictate how users can interact with data and
devices that introduce new data into a system. For
example, input controls might dictate whether a user is entitled
to write new data files or modify existing rows in a
database. Input controls are also concerned with physical
security such as automatically locking server rooms and
securing unused network jacks on servers. Left unsecured, an
unused network jack could be used to attach an
unauthorized device to the network via a server.
OUTPUT CONTROLS
Output controls are similar to input controls, except that they
are primarily concerned with the output of data,
either to a screen, printer, or another device. A user's ability to
read a data file would be the focus of an output control
rule, as would a system that requires a personal identification
number (PIN) to retrieve print jobs. This type of system
is usually put in place to prevent unattended output on a shared
printer.
Case Studies and Examples of Access Control Systems That
Uniquely Solve Business Challenges
45. Now that you understand the theory behind designing a
comprehensive access control system, let's examine how these
systems are implemented in real-world situations.
Private Sector Case Study
Acme Corporation is a large new media company that has
recently launched a Software as a Service (SaaS) office
suite. This suite includes a word processor, as well as
presentation, e-mail, calendar, and spreadsheet applications.
Also included are collaboration and Web authoring tools.Find
answers on the fly, or master something new. Subscribe today.
See pricing options.
https://learning.oreilly.com/subscribe/
Figure 6-1. Portability of SaaS.
SaaS is a new model of software distribution. Instead of simply
selling an application, a SaaS vendor offers access to
the applications for a small subscription fee. The application
and data are stored on the vendor's servers and the
customer accesses them remotely. This benefits the customer by
lowering operating costs and adding security and
portability. SaaS generally costs less, both in upfront and
ongoing costs than buying software in a traditional manner.
This is especially true for a small-business environment that
may not have the capital necessary for the hardware
46. associated with large centralized applications.
SaaS also adds a new layer of document security; even if a
workstation is physically stolen, the information is safe
because all of the documents are stored on the vendor's servers
instead of the customer's workstation. Storing the
information remotely also gives the customer an amazing
amount of portability. Any system with appropriate access
software can access the data. In Acme's case the office suite is
Web-based, so any system with a Web browser can be
used to access the applications, including smartphones. The
portability of SaaS can be seen in Figure 6-1.
SaaS has its challenges as well. Privacy is a major concern
because multiple organizations will have access to Acme's
systems. Acme's customers do not want other groups or even
Acme employees to have the ability to access their data.
These are concerns above the normal data security issues
internal to an organization. There is also the issue of ease of
use. End users at the organizations using Acme's SaaS do not
expect to have to log into their word processor, for
example. For Acme's SaaS offering to be widely adopted, its
security features must be seamless to end users. While
these problems are daunting, they can be addressed with a well-
designed access control system.
NOTENOTE
47. Acme's office suite provides services for many organizations
from a single server, just as many families might
live in a single apartment building. Each organization's data is
segregated from the others, but it all resides on
the same server.
The first obstacle that Acme needs to address is cording off
users and organizations to make sure information is not
unintentionally shared between unrelated groups. This is
handled with a RBAC system. Each organization is a "role"
in Acme's design; data is restricted then by role. Only the
organization that created the information has access to it
initially, but access can be explicitly granted to other roles by
sharing the data. Acme's own employees are included in
this layer of control, guaranteeing that even internal Acme users
can only see the data that they have rights to see.
Acme customers also have the ability to set up a mandatory
access control schema. They can set up an administrator
or group of administrators for their SaaS applications. These
administrators control organization-wide rights to
accessing the data. Administrators can explicitly add or deny
access to users and groups of users in a similar mannerFind
answers on the fly, or master something new. Subscribe today.
See pricing options.
https://learning.oreilly.com/subscribe/
to data that is stored locally. This allows organizations to have
48. strict access controls based on their own access control
policies.
There is also the ability to have DAC on user-created data. If an
organization does not have the infrastructure for a
centralized administrator, each document owner can set the
access controls for his or her documents by explicitly
allowing or denying access to other users in the organization,
and even to other organizations.
Acme also wanted to allow customers the ability to verify
document integrity, as required by various regulations. To
achieve this it implemented a granular, robust document logging
and auditing system. Managers and end users can
see what changes were made to a document, who made them,
and when they were made. Users can also revert to a
previous version of a document. This robust logging allows
users to verify the integrity of the information stored in the
system.
Acme also wanted to make all of this security seamless and
invisible to the end user. Users are not used to logging in
to a word processor or calendar application, and it would be
difficult to convince new customers to adopt Acme's SaaS
offering if it added a layer of unfamiliarity or complexity to
applications that are constantly used and needed in an
49. organization. To avoid this, Acme created an authentication API
utilizing Security Assertion Markup Language 2.0
(SAML 2.0). SAML is an XML-like markup language that
allows Web applications to pass a security token for user
identification. This allows for organizations using Acme's SaaS
to utilize a single sign-on (SSO) system. The end user
logs onto his or her workstation, and that username and
password acts as the login for Acme's SaaS business suite as
well. This also allows organizations to take advantage of
existing password complexity and expiration rules.
Utilizing a deep and robust access control system, Acme was
able to provide information privacy and integrity for its
SaaS customers.
Public Sector Case Study
The U.S. military needed a way to communicate information
quickly and securely in the rapidly changing
environment of a battlefield. Wired communications, while
secure and robust, had significant drawbacks.
Communications lines could easily be severed and military
personnel were limited to only communicating with fixed
locations. Radio and wireless communications removed the
threat of cut lines, and extended the range of
communications, allowing military personnel to communicate
with mobile units, but only to a fixed range. Stationary
50. installations were still needed as base stations, and throughput
degrades the further units were from the base station.
That led the military to turn to a new type of wireless
networking called wireless mesh networking.
Figure 6-2. Mesh network topology.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
Wireless mesh networks are based on a distributed network
mesh topology. Each node in the network connects to
multiple nodes; each node also acts as a router for the nodes it
connects to allowing traffic to hop along multiple paths
to a destination. This allows for a very robust and flexible
network. The loss of one node will not hurt the network, and
nodes can be added at will. Range of the total network is also
massive because nodes don't need to be close to a central
point. They just need one other node to function. An example of
a mesh network can be seen in Figure 6-2.
While a wireless mesh network solved part of the military's
requirements, security remained a major concern. To
make sure the communications were secure the military
implemented both physical and logical access controls on the
network.
51. For the physical security of the communications, the military
uses frequency hopping on the radios connected to the
network. The radios are constantly changing frequencies. This
allows them to avoid jamming and eavesdropping.
For logical security the mesh network relies on MAC addressing
to identify all of the devices in the network. A list of
all allowed Media Access Control (MAC) addresses is generated
and each device knows whom it talks to. A MAC
address can be faked, so they also utilize a shared secret style
encryption key to handle security. When devices in the
network first link together, they will authenticate each other
utilizing public key infrastructure (PKI) then develop a
shared key, which will get renewed periodically to handle
encryption. Now any communications between nodes can be
validated with that key. These two network access controls
methods give the military the ability to secure their
wireless communications.
Critical Infrastructure Case Study
Power plants are an important part of critical infrastructures and
local, state, and national economies. Therefore,
power plants need deep and multilayered access controls due to
concerns over physical security. There are a number
of sensitive areas that must be secured, and various employees
need different levels of access to these locations. At a
52. plant in the upper Midwest, this access is handled with identity
badges that include images of the user and an RFID
with their access rights.
The RFID handles access through multiple levels. There is a
security checkpoint at the entrance to the parking lot, and
at the entrance. Both points require a badge to enter. From there
the badge allows personnel to enter the facilities they
are authorized to enter. It also acts as "something you have" for
multipoint authentication onto secure systems. These
are all standard functions for an RFID badge system.
The badges also have an automatic deactivation feature, which
is useful for certain personnel. Maintenance personnel,
for example, do not have enhanced access and do not require
access to secured areas of the site. However, the
maintenance team may need access to any area of the facility
regardless of its sensitivity, in the case of a breakdown or
special project. To allow for this, the badges can be granted
access rights that decay over time. This allows for
temporary access to secure areas that is then automatically
revoked over a number of hours or days. This lowers
administrative time, and reduces the risk of human error in
rights assignment.
CHAPTER SUMMARY
All access control systems are about solving problems and
53. meeting business needs. In order to do this effectively, you
should be familiar with a variety of access control types, and
understand how to map those types to various business
challenges. Understanding how access control systems are used
in the real world is a good way to integrate what
works into your own access control systems.
KEY CONCEPTS AND TERMS
Business continuity
CompartmentalizationFind answers on the fly, or master
something new. Subscribe today. See pricing options.
https://learning.oreilly.com/subscribe/
Discretionary access control (DAC)
Group
Information availability
Information confidentiality
Information integrity
Input control
Least privilege
Least user access (LUA)
Malware
54. Mandatory access control (MAC)
Media Access Control (MAC) address
Output control
Risk acceptance
Risk avoidance
Risk mitigation
Risk transference
Role
Role-based access control (RBAC)
Separation of responsibilities
Software as a Service (SaaS)
Wireless mesh networks
CHAPTER 6 ASSESSMENT
1. In terms of business continuity, a hostage situation could be
considered a disaster.
1. True
2. False
2. ________ is choosing not to engage in an activity that carries
some element of risk.
55. 3. ________ is carrying on despite the risks involved in a given
activity.
4. ________ is the process of assigning risk to someone else.
5. ________ combines attempts to minimize the probability and
impact of risk.
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/subscribe/
6. The three main threat categories are information
confidentiality, ________, and availability.
7. Even non-sensitive data should be kept under some level of
access control.
1. True
2. False
8. Any system or data resource that, if it were lost, stolen,
damaged, altered, or publicly divulged, would cause a
significant negative impact to the organization should be
considered ________.
9. Which of the following is an access control system in which
rights are assigned by the owner of the resource?
1. Discretionary access control
2. Mandatory access control
56. 3. Role-based access control
4. Media access control
10. Which of the following is an access control system in which
rights are assigned based on a user's role rather than
his or her identity?
1. Discretionary access control
2. Mandatory access control
3. Role-based access control
4. Media access control
11. Which of the following is an access control system in which
rights are assigned by a central authority?
1. Discretionary access control
2. Mandatory access control
3. Role-based access control
4. Media access control
12. The principle of separation of responsibilities requires a
minimum of how many conditions to be met before
access can be granted?
1. 1
2. 2
58. TWO. Mitigating Risk with Access Control Systems,
Authenticati…⏮
NEXT
7. Human Nature and Organizational Behavior ⏮
Find answers on the fly, or master something new. Subscribe
today. See pricing options.
https://learning.oreilly.com/r/
https://learning.oreilly.com/playlists/
https://learning.oreilly.com/history/
https://learning.oreilly.com/topics?q=*&limit=21
https://learning.oreilly.com/u/preferences/
https://www.oreilly.com/online-learning/apps.html
https://learning.oreilly.com/accounts/logout/
https://learning.oreilly.com/
https://learning.oreilly.com/terms/
https://www.oreilly.com/privacy.html
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/pt02.html
https://learning.oreilly.com/library/view/access-control-
authentication/9780763791285/ch07.html
https://learning.oreilly.com/subscribe/
CSIA 413: Cybersecurity Policy, Plans, and Programs
June 2, 2019
59. Executive Summary
The Red Clay Renovations Employee Handbook is to give
general rules about its strategies. The Employee Handbook will
fill in as a guide for workers to get comfortable with Red Clay
Renovations strategies for "Acceptable Use Policy for
Information Technology", "Bring Your Own Device Policy "
and "Digital Media Sanitization, Reuse, and Destruction
Policy". Red Clay Renovations maintains whatever authority is
needed to adjust the Employee Handbook to best suit the
organization whenever with no earlier warning to its
representatives.
Red Clay Renovations "Acceptable Use Policy for Information
Technology" will characterize in subtleties what Acceptable Use
is and what it's most certainly not. Every Employee will get
his/her duty of the framework accounts, processing resources,
organize utilization and will sign and consent to the approach
before access is conceded to the system.
Red Clay Renovations "Bring Your Own Device Policy or
BYOD" will name every one of the gadgets that are satisfactory
as BYOD and the administration of the use of such gadgets.
Every worker's gadgets must satisfy the arrangement guideline
before actualizing the gadgets into Red Clay Renovation
Company.
Red Clay Renovations "Digital Media Sanitization, Reuse, and
Destruction Policy" will ensure that any worker of Red Clay
Renovation who marked for the BYOD approach has/should
sign this arrangement also. Workers need to comprehend the
techniques the organization will use to clean off the BYOD.
Acceptable Use Policy
Introduction
This Acceptable Use Policy is for all Red Clay Renovation
workers and supplants every single past version. All workers
are liable to the terms and states of the Policy. The approach
will build up satisfactory and inadmissible utilization of
defending the security of information, secure and ensure PC and
PCs, the use of system condition and servers, the utilization of
60. electronic correspondences. Additionally Red Clay Renovation
gathers, keeps up, and stores individual data to incorporate
Mastercard’s, credit checks, building plans and illustrations,
customers restorative and wellbeing information.
Red Clay Renovation must be in consistence with the
accompanying: HIPPA Privacy and Security Rule, Freedom of
Information Act (FOIA), PCI DSS, Privacy Act of 1977,
Building Codes and Regulations. It is to the greatest advantage
of the organization for all workers to comprehend the
Acceptable Use Policy to settle on trustworthy choices before
participating in inadmissible utilization of the approach. Any
offense with the Acceptable Use Policy could conceivably cause
Red Clay Renovation considerable loss of its business and its
notorieties. On the off chance that any worker needs more data
with this arrangement, they can reach out to the IT department
directly.
Policy Content
Utilization of IT Systems
Red Clay Renovation possesses the property rights to all
information put away on its framework. Red Clay Renovation
frameworks are for the sole use to help and keep up its business.
Red Clay Renovation whenever can screen any substance that is
put away on its framework.
Data Security
All representatives are in charge of verifying information,
records, and frameworks under their control. Keep passwords
secure and don't uncover your secret word to anybody in any
capacity whatsoever. Clients are in charge of locking their
workstation where not around.
Unsuitable Use
All representatives should utilize decision making ability before
participating in any unsuitable utilization of Red Clay
Renovation's framework. If all else fails inquire as to whether a
site is restricting you from doing your everyday undertakings at
that point request that senior administration oblige your interest
61. by giving you get to. Never bring issue into your own hands.
• Do not get to pornography destinations on organization's
framework
• Do not get to any destinations that actuate brutality,
despise violations, bigotry and separation
• Do not share delicate data, exchange insider facts to
anybody outside the organization or any individual who does
not have a need to know.
• Do not mess with the IT security framework
• Do not direct any organizations that would bargain the
uprightness of the organization or carry disgrace to it.
• Do not duplicate organization restrictive data
Enforcement
The CISO and the IT group are the purpose of contact to this
approach. Together they will keep up this approach. Any
exemption should originate from senior administration with the
counsel of the CISO and the IT group. Representatives who
damage this strategy might be ended or relies upon the idea of
the brutality may confront criminal examinations. If all else
fails, maybe ask over be grieved (SANS, 2014).
Bring Your Own Device (BYOD)
Introduction
Red Clay Renovation goes into a concurrence with its
representatives who are qualified the benefit of carrying their
own gadgets to work. Qualified representatives will most likely
utilize their cell phones, tablets and workstations at work
exclusively to lead organization's matter of fact. The IT will
investigate the BYOD to guarantee the gadgets meet the
insurance, security and trustworthiness of Red Clay Renovation
framework standard. The Company has the privilege to disavow
the approach with no support, and all representatives must
concur and keep the arrangement before giving individual
gadgets access to the system.
Red Clay Renovation may send its representatives to different
areas to plot or study a home which will require the worker to
take pictures or utilizing CAD programming to plot.
62. Representatives who introduce the shrewd gadgets for Red Clay
Renovation may need to get to the organization system to
transfer or arrange a brilliant home venture remotely. The
requirement for utilizing cell phones fundamentally for this
organization is basic.
Red Clay Renovation and its certified workers concur that
gadgets with camera or video will be handicapped while on
location, certain site are while on organization's time and the
limitation of some applications are not permitted on the gadget
while the strategy and the understanding are in actuality.
Representatives consent to give Red Clay Renovation a chance
to introduce the important programming and applications to
their gadgets to meet explicit prerequisite of the organization
and at end the organization will eradicate or wipe all substance
in the gadgets.
Policy Content
Client understanding
Red Clay Renovation may repudiate this benefit or look for
legitimate activity for neglecting to go along to with the
standard contain in the BYOD approach. Client makes a deal to
avoid utilizing outsider programming except if to Red Clay
Renovation confirms it first. Client concurs that Red Clay
Renovation isn't in charge of harms or loss of the gadget
(cio.gov, 2012). Client consents to turn all BYOD that was
outfitted with Red Clay Renovation application and
programming to the IT group inside five business long periods
of end of work or face losing clearing out the gadgets remotely
with an executable order.
Security
The gadgets must be secret key secured to counteract
unapproved get to and pursue Red Clay Renovation secret word
arrangement for locking up the gadgets. Besides the gadget must
close itself out inside two minutes of dormancy and totally lock
out after five fizzled login endeavors. Red Clay Renovation IT
group will remotely delete gadget information if an infection is
suspected, a break of strategy or after end of business (Berry,
63. 2016).
Dangers/Liabilities
The CISO and the IT group will, best case scenario due its due
determination to abstain from eradicating any bits of the
individual information if there should arise an occurrence of a
remote wipe. Client is mindful to informing Red Clay
Renovation inside one hour if the BYOD is lost or when
recognize the gadget is lost.
• The representative is required to utilize the gadgets in a
way that is helpful for the approach.
• The representative is in charge of all expense related with
the gadgets.
• The worker is obligated for any infection or programming
issues that reason any glitch of the organization's product.
The organization will keep up and bolster its product and
applications while in the BYOD concurrence with the worker.
Fixes and updates will originate from the IT group organize
foundation. On the off chance that BYOD is out past its time or
obsolete, at that point workers may quit if the organization
chooses to move up to an increasingly present gadget.
• Abide by state laws relating to the utilization of portable
phones and additionally cell phones while driving (e.g., without
hands use as well as messaging).
• User will secret word ensure the gadget
• User makes a deal to avoid altering the gadget working
framework and have the endures security patches.
• User makes a deal to avoid offering the gadget to anybody
other than the IT group of Red Clay Renovation.
• Employees won't almost certainly download; introduce an
application that isn't on the organization's affirmed records.
• Only cell phones and tablets that are BYOD qualified will
approach the system.
• Employees' entrance to organization information is
restricted dependent on client profiles characterized by IT and
consequently authorized (Berry, 2016).
Media Sanitation, Reuse and Destruction
64. Introduction
The motivation behind this arrangement is to outline the best
possible transfer and disinfecting and pulverization of media,
physical or electronic at Red Clay Renovation. The approach is
to confine the overstoring of touchy data and when PII, orders
data are never again fundamental or serve any advantages to the
organization. Red Clay Renovation gathers charge card holder
information and customers medicinal records and PII.
Eventually these information should be devastate, Red Clay
Renovation utilizes NIST unique Publication 800-88 rules to
obliterate and sterilize information.
Policy Content
Floppy Disks, Zip Disks CDs, DVDs
It is less expensive to demolish these media instead of to reuse
them; there is no genuine incentive there any longer. Most ideal
path is to wreck them by utilizing a crosscut destroying machine
or precious stone cut paper shredder. Consuming the circles is
likewise an affirmed strategy; guarantee that an individual
structure the organization is available to check the full burning
of the plates; no parts are left or could be recreated.
Work area and Laptop Computers, External Hard Drives
Red Clay Renovation will execute NIST extraordinary
Publication 800-88 area 2.6 as a manual for assistance clean
electronic media. Degaussing and overwriting are different
strategies that will crush the plate drive for all time.
Complex Systems
Frameworks overseers with servers, server frameworks, and
increasingly complex stockpiling resources, for example, RAID
clusters and PC based logical instruments ought to get
comfortable with the NIST Guidelines and ought to pursue its
suggestions and techniques for viable media purification and
transfer (Space.internet, 2015).
• Paper-based or other printed version media with private
Data must be destroyed with a cross-cut shredder before
transfer.
65. • Limit the span of paper-based media containing classified
information to 1x5 mm (1/32"x1/5").
• The greatest molecule measure for media containing
inward information is 2x15 mm (1/16"x3/5").
• Ensure burning pursues neighborhood and state and
government guidelines.
• When cleansing is finished by overwriting the information,
at least three passes is prescribed
• Ensure all gear that isn't required are all eradicate and the
hard drives are taken out.
• To totally crush the hard drive is by destroying, pounding,
breaking down, or cremation.
• Degaussing is a worthy strategy for cleansing information
from attractive media. Know this ordinarily renders the media
unusable.
• If the media contains ePHI that will be utilized later on, a
precise of the information must be made before its obliteration
or cleanse.
• Any media containing ePHI must be followed, and a record
of its cleanse, obliteration or reuse must be kept.
References
A toolkit to support federal agencies implementing bring your
own device (BYOD) programs. (2012). Retrieved from
https://cio.gov/wp-content/uploads/downloads/2012/09/byod-
66. toolkit.pdf
Acceptable Use Policy. (2014, June). Retrieved from
https://www.sans.org/security-
resources/policies/general/pdf/acceptable-use-policy
Berry, B. M. (2013). BYOD Policy Template. Retrieved from
http://www.itmanagerdaily.com/byod-policy-template/
Example Acceptable Use Policy for IT Systems. (n.d.).
Retrieved from https://www.sophos.com/en-
us/medialibrary/PDFs/other/sophosexampleITacceptableusepolic
y.ashx.
Guidelines for Media Sanitization. (2014, December). Retrieved
from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-88r1.pdf
Hassell, J. (2012). 7 Tips for Establishing a Successful BYOD
Policy. Retrieved from
http://www.cio.com/article/2395944/consumer-technology/7-
tips-for-establishing-a-successful-byod-policy.html
Media Sanitization and Destruction Policy Sample. (2013).
Retrieved from
https://www.michigan.gov/documents/msp/Media_Sanitization_
Destruction_Policy_442249_7.pdf
Practical Information Media Sanitization Guidelines for Higher
Education. (2015, July). Retrieved from
https://spaces.internet2.edu/display/2014infosecurityguide/Guid
elines for Information Media Sanitization
Reid, G., & Hilldale, D. (2006). Acceptable use policy
template. Retrieved from
https://www.first.org/_assets/resources/guides/aup_generic.doc