IAS QUIZ

    Cards (40)

    • Access Control
      Access control is a security technique that regulates who or what can
      view or use resources in a computing environment.
    • Benefits of Access Control
      Knowing Who’s Coming and Going at All Times
      Keep Track of Employees
      Secure Sensitive Documents and Data
      Reduce Theft and Accidents
      Multi-Property Protection
      No More Worrying About Keys
    • Four Main Access Control Model
      1. Mandatory Access Control or MAC
      2. Discretionary Access Control
      3. Role Based Access Control
      4. Rule Based Access Control
    • 2. Discretionary Access Control
      When using DAC method, the owner decides who has access to the
      resource. So decisions are made directly for subjects. To accomplish this
      we use Access Control Lists (ACL).
      1. Mandatory Access Control or MAC
      MAC is a static access control method. Resources are classified
      using labels. Clearance labels are assigned to users who need to
      work with resources.
    • 3. Role Based Access Control
      When using role-based access control method data access is
      determined by the role within the organization.
    • 4. Rule Based Access Control
      Rule-based access control is based on rules to deny or allow access to resources.
      If the rule is matched we will be denied or allowed access.
    • Identity and Access Management (IAS)
      Also called identity management (IdM), IAM systems fall under the overarching
      umbrella of IT security.
      Identity and access management systems not only identify, authenticate and
      authorize individuals who will be utilizing IT resources, but also the hardware and
      applications employees need to access.
    • Identity and Access Management (IAS)
      Enterprises have traditionally utilized on-premises IAM software for
      their identity and access management policies, but in recent years
      native cloud-based Identity-as-a-Service (IDaaS) solutions from
      vendors like Okta and Centrify have gained traction, as have hybrid
      identity and access management solutions from vendors like
      Microsoft and Amazon that provide cloud-based directories that link
      with on-premises IAM systems.
    • Identity management
      also referred to as identity and access management (IAM)—is the
      overarching discipline for verifying a user’s identity and their level of
      access to a particular system.
    • When do we interact with authentication mechanisms?
      The answer is …. Every day
      When you enter a username and password,
      use a PIN,
      scan your fingerprint,
      tap your bank card,
    • Access Control Decisions
      Institutions of higher education like QCU create, collect, and makes
      available information in support of their educational, healthcare, and
      research missions.
    • Centralized Access Control
      • Rather than maintaining separate accounts on each system, some institutions use a central account database that all systems can authenticate against
      • In many environments, a Windows domain controller functions as the central authentication system
    • Decentralized Access Control
      • Institutions opting for decentralized or distributed user account databases where the verification of authorization is performed by various entities located throughout the campus
    • Disadvantages of Decentralized Access Control
      • They can be duplicative
      • Require coordinated work of several teams
      • Administrative overhead is high since changes may need to be implemented by numerous locations
      • Each location may be maintained by local administrators without the input / coordination of the other teams
    • 2. Access Control Policy
      Institutions should ensure that their policies comply with any applicable
      regulatory requirements such as those currently affecting access to student
      financial aid information and Controlled Unclassified Information (CUI).
    • 3. Access Control Program
      As data, access, and networks continue to expand, institutions have
      an increasing need to manage identities and access.
      Two examples of identity and access management
      In Campus Setting
      In a complex organization
    • User Access Management
      Stages of user access
      life-cycle - from
      determining the types and
      affiliation of institutional
      users and their
      corresponding privileges to
      procedures to revoke and
      disable their access.
    • User Types and Affiliations
      Institutions of higher education have a broad user base with varying degrees of affiliation. One thing
      in common among all members of an institution's constituency is that all require access to some type
      of institutional information for a determined amount of time - they all become users.
    • Formal Affiliation: These are users whose affiliation to the institution is established by formal
      contract, employment, or enrollment. Users in this group include staff members, employee,
      faculty, researchers, and students.
    • Casual Affiliation: These are users whose affiliation to the institution is transitory, periodic,
      mostly informational and not established by a contract or enrollment. Users in this group include
      guests, retirees, donors, parents, library patrons, alumni, and external vendors.
    • 2. User Registration
      Identification is the process of ensuring that a user, program, or device is the entity it
      claims to be.
    • The User registration process generally has four steps:
      Identity Vetting: the collection and validation of identity information.
      Identity Proofing – aligning collected data and matching an actual person to it.
      This can be done either by:
      leveraging a pre-existing relationship with an individual (e.g., individual was a former
      student or a former employee)
      In-person.
      Remotely.
      Creation of a master identity record
      Issuance of credentials
    • 3. Privilege Management
      Privilege management is the set of processes for managing user attributes and policies that
      determine a user's access rights to an information resource.
      Some data may be restricted from general access by users and may require additional levels
      of approval before being made available.
    • Two common problems related to privilege management
      Excessive privilege - happens when a user has more access or
      permissions than the assigned work tasks and/or role requires.
      Creeping privilege - happens when a user account accumulates privileges
      over time as roles and assigned work tasks change. Both problems are
      addressed by periodic review of user access rights.
    • 4. Password Management
      Good Password Practices
      Use strong passwords or long passphrases
      Do NOT write passwords down
      Do NOT share passwords
      Use different passwords for different applications (e.g., work vs personal; shopping, and banking
      vs casual email and Facebook; applications that contain confidential information vs those that do
      not, etc.)
    • 5. Review of Access Rights
      Least privilege and need-to-know access underscore the importance of the
      periodic review of user accounts and their corresponding access rights.
      Dormant user accounts - active user accounts which show no activity for very
      long periods of time - poses an unnecessary risk for unauthorized access to
      confidential data.
    • Information Security Policy (ISP)
      Security threats are constantly evolving, and compliance
      requirements are becoming increasingly complex.
      Organizations large and small must create a comprehensive security
      program to cover both challenges.
    • A few key characteristics make a security policy efficient:
      • it should cover security from end-to-end across the organization,
      be enforceable and practical, have space for revisions and updates, and
      be focused on the business goals of your organization.
    • The Importance of an Information Security Policy
      Creating an effective security policy and taking steps to ensure
      compliance is a critical step to prevent and mitigate security
      breaches.
      To make your security policy truly effective, update it in response to
      changes in your company, new threats, conclusions drawn from
      previous breaches, and other changes to your security posture.
      Make your information security policy practical and enforceable.
      It should have an exception system in place to accommodate
      requirements and urgencies that arise from different parts of the
      organization.
    • 8 Elements of an Information Security Policy
      1. Purpose
      2. Audience
      3. Information security objectives
      4. Authority and access control policy
      5. Data classification
      6. Data support and operations
      7. Security awareness and behavior
      8. Responsibilities, rights, and duties of personnel
    • Purpose
      Create an overall approach to information security.
      Detect and preempt information security breaches such as misuse
      of networks, data, applications, and computer systems.
      Maintain the reputation of the organization, and uphold ethical
      and legal responsibilities.
      Respect customer rights, including how to react to inquiries and
      complaints about non-compliance.
    • Audience
      You may also specify which audiences are out of the scope of the
      policy (for example, staff in another business unit which manages
      security separately may not be in the scope of the policy).
    • Information security objectives
      Guide your management team to agree on well-defined objectives
      for strategy and security.
      Information security focuses on three main objectives:
      1.Confidentiality
      2.Integrity
      3. Availability
    • Authority and access control policy
      Hierarchical pattern— a senior manager may have the authority to
      decide what data can be shared and with whom.
      The security policy may have different terms for a senior
      manager vs. a junior employee.
      • The policy should outline the level of authority over data and IT
      systems for each organizational role.
      Network security policy— users are only able to access company
      networks and servers via unique logins that demand
      authentication, including passwords, biometrics, ID cards, or
      tokens. You should monitor all systems and record all login
      attempts.
    • Data classification
      The policy should classify data into categories, which may include
      “top secret”, “secret”, “confidential” and “public”. Your objective
      in classifying data is:
      To ensure that sensitive data cannot be accessed by individuals
      with lower clearance levels.
      To protect highly important data, and avoid needless security
      measures for unimportant data.
    • Data support and operations
      Data protection regulations— systems that store personal data, or
      other sensitive data, must be protected according to
      organizational standards, best practices, industry compliance
      standards and relevant regulations.
      Most security standards require, at a minimum, encryption, a
      firewall, and anti-malware protection.
      Data backup— encypt data backup according to industry best
      practices. Securely store backup media, or move backup to secure
      cloud storage.
    • Movement of data— only transfer data via secure protocols.
      Encrypt any information copied to portable devices or transmitted
      across a public network.
    • 7. Security awareness and behavior
      Share IT security policies with your staff. Conduct training sessions
      to inform employees of your security procedures and mechanisms,
      including data protection measures, access protection measures,
      and sensitive data classification.
    • Responsibilities, rights, and duties of personnel
      Appoint staff to carry out user access reviews, education, change
      management, incident management, implementation, and
      periodic updates of the security policy.
      Responsibilities should be clearly defined as part of the security
      policy.
    See similar decks