Save
IAS QUIZ
Save
Share
Learn
Content
Leaderboard
Share
Learn
Created by
Corbadura Holly
Visit profile
Cards (40)
Access Control
Access control
is a security technique that regulates who or what can
view or use resources in a computing environment.
Benefits of Access Control
Knowing Who’s Coming and Going at All Times
Keep Track of Employees
Secure Sensitive Documents and Data
Reduce Theft and Accidents
Multi-Property Protection
No More Worrying About Keys
Four Main Access Control Model
Mandatory Access Control or MAC
Discretionary Access Control
Role Based Access Control
Rule Based Access Control
2.
Discretionary Access Control
When using
DAC
method, the owner decides who has access to the
resource. So decisions are made directly for subjects. To accomplish this
we use
Access Control Lists
(
ACL
).
Mandatory Access Control
or
MAC
MAC
is a static access control method. Resources are classified
using labels. Clearance labels are assigned to users who need to
work with resources.
3.
Role Based Access Control
When using
role-based access control
method data access is
determined by the role within the organization.
4.
Rule Based Access Control
Rule-based access control
is based on rules to deny or allow access to resources.
If the rule is matched we will be denied or allowed access.
Identity and Access Management (IAS)
Also called identity management (IdM), IAM systems fall under the overarching
umbrella of IT security.
Identity and access management systems not only identify, authenticate and
authorize individuals who will be utilizing IT resources, but also the hardware and
applications employees need to access.
Identity and Access Management (IAS)
Enterprises have traditionally utilized on-premises IAM software for
their identity and access management policies, but in recent years
native cloud-based Identity-as-a-Service (IDaaS) solutions from
vendors like Okta and Centrify have gained traction, as have hybrid
identity and access management solutions from vendors like
Microsoft and Amazon that provide cloud-based directories that link
with on-premises IAM systems.
Identity management
also referred to as identity and access management (IAM)—is the
overarching discipline for verifying a user’s identity and their level of
access to a particular system.
When do we interact with authentication mechanisms?
The answer is ….
Every day
When you enter a username and password,
use a PIN,
scan your fingerprint,
tap your bank card,
Access Control Decisions
Institutions of higher education like QCU create, collect, and makes
available information in support of their educational, healthcare, and
research missions.
Centralized Access Control
Rather than maintaining separate accounts on each system, some institutions use a central account database that all systems can authenticate against
In many environments, a Windows domain controller functions as the central authentication system
View source
Decentralized Access Control
Institutions opting for decentralized or distributed user account databases where the verification of authorization is performed by various entities located throughout the campus
View source
Disadvantages of Decentralized Access Control
They can be duplicative
Require coordinated work of several teams
Administrative overhead is high since changes may need to be implemented by numerous locations
Each location may be maintained by local administrators without the input / coordination of the other teams
View source
2.
Access Control Policy
Institutions should ensure that their policies comply with any applicable
regulatory requirements such as those currently affecting access to student
financial aid information and Controlled Unclassified Information (CUI).
3.
Access Control Program
As data, access, and networks continue to expand, institutions have
an increasing need to manage identities and access.
Two examples of identity and access management
In Campus Setting
In a complex organization
User Access Management
Stages of user access
life-cycle - from
determining the types and
affiliation of institutional
users and their
corresponding privileges to
procedures to revoke and
disable their access.
User Types and Affiliations
Institutions of higher education have a broad user base with varying degrees of affiliation. One thing
in common among all members of an institution's constituency is that all require access to some type
of institutional information for a determined amount of time - they all become users.
Formal Affiliation
: These are users whose affiliation to the institution is established by formal
contract, employment, or enrollment. Users in this group include staff members, employee,
faculty, researchers, and students.
Casual Affiliation
: These are users whose affiliation to the institution is transitory, periodic,
mostly informational and not established by a contract or enrollment. Users in this group include
guests, retirees, donors, parents, library patrons, alumni, and external vendors.
2.
User Registration
Identification is the process of ensuring that a user, program, or device is the entity it
claims to be.
The User registration process generally has four steps:
Identity Vetting
: the collection and validation of identity information.
Identity Proofing
– aligning collected data and matching an actual person to it.
This can be done either by:
leveraging a pre-existing relationship with an individual (e.g., individual was a former
student or a former employee)
In-person.
Remotely.
Creation of a master identity record
Issuance of credentials
3.
Privilege Management
Privilege management
is the set of processes for managing user attributes and policies that
determine a user's access rights to an information resource.
Some data may be restricted from general access by users and may require additional levels
of approval before being made available.
Two common problems related to privilege management
Excessive privilege
- happens when a user has more access or
permissions than the assigned work tasks and/or role requires.
Creeping privilege
- happens when a user account accumulates privileges
over time as roles and assigned work tasks change. Both problems are
addressed by periodic review of user access rights.
4. Password Management
Good Password Practices
Use strong passwords or long passphrases
Do NOT write passwords down
Do NOT share passwords
Use different passwords for different applications (e.g., work vs personal; shopping, and banking
vs casual email and Facebook; applications that contain confidential information vs those that do
not, etc.)
5. Review of Access Rights
Least privilege and need-to-know access underscore the importance of the
periodic review of user accounts and their corresponding access rights.
Dormant user accounts - active user accounts which show no activity for very
long periods of time - poses an unnecessary risk for unauthorized access to
confidential data.
Information Security Policy (ISP)
Security threats are constantly evolving, and compliance
requirements are becoming increasingly complex.
Organizations large and small must create a comprehensive security
program to cover both challenges.
A few key characteristics make a security policy efficient:
it should cover security from end-to-end across the organization,
be enforceable and practical, have space for revisions and updates, and
be focused on the business goals of your organization.
The Importance of an Information Security Policy
Creating an effective security policy and taking steps to ensure
compliance is a critical step to prevent and mitigate security
breaches.
To make your security policy truly effective, update it in response to
changes in your company, new threats, conclusions drawn from
previous breaches, and other changes to your security posture.
Make your information security policy practical and enforceable.
It should have an exception system in place to accommodate
requirements and urgencies that arise from different parts of the
organization.
8 Elements of an Information Security Policy
Purpose
Audience
Information security objectives
Authority and access control policy
Data classification
Data support and operations
Security awareness and behavior
Responsibilities, rights, and duties of personnel
Purpose
Create an overall approach to information security.
Detect and preempt information security breaches such as misuse
of networks, data, applications, and computer systems.
Maintain the reputation of the organization, and uphold ethical
and legal responsibilities.
Respect customer rights, including how to react to inquiries and
complaints about non-compliance.
Audience
You may also specify which audiences are out of the scope of the
policy (for example, staff in another business unit which manages
security separately may not be in the scope of the policy).
Information security objectives
Guide your management team to agree on well-defined objectives
for strategy and security.
Information security focuses on three main objectives:
1.Confidentiality
2.Integrity
3.
Availability
Authority and access control policy
Hierarchical pattern—
a senior manager may have the authority to
decide what data can be shared and with whom.
The security policy may have different terms for a senior
manager vs. a junior employee.
The policy should outline the level of authority over data and IT
systems for each organizational role.
Network security policy— users are only able to access company
networks and servers via unique logins that demand
authentication, including passwords, biometrics, ID cards, or
tokens. You should monitor all systems and record all login
attempts.
Data classification
The policy should classify data into categories, which may include
“top secret”, “secret”, “confidential” and “public”. Your objective
in classifying data is:
To ensure that sensitive data cannot be accessed by individuals
with lower clearance levels.
To protect highly important data, and avoid needless security
measures for unimportant data.
Data support and operations
Data protection regulations—
systems that store personal data, or
other sensitive data, must be protected according to
organizational standards, best practices, industry compliance
standards and relevant regulations.
Most security standards require, at a minimum, encryption, a
firewall, and anti-malware protection.
Data backup—
encypt data backup according to industry best
practices. Securely store backup media, or move backup to secure
cloud storage.
Movement of data—
only transfer data via secure protocols.
Encrypt any information copied to portable devices or transmitted
across a public network.
7. Security awareness and behavior
Share IT security policies with your staff. Conduct training sessions
to inform employees of your security procedures and mechanisms,
including data protection measures, access protection measures,
and sensitive data classification.
Responsibilities, rights, and duties of personnel
Appoint staff to carry out user access reviews, education, change
management, incident management, implementation, and
periodic updates of the security policy.
Responsibilities should be clearly defined as part of the security
policy.
See similar decks
Quiz
21 cards
plant + animal cells
26 cards
Quiz
20 cards
Quiz
232 cards
Shapes chem
31 cards
Quiz
14 cards
quiz
117 cards
Quiz
19 cards
quiz
10 cards
Quiz
22 cards
Quiz
Science
20 cards
Quiz
7 cards
Quiz
249 cards
quiz
2 cards
Quiz
Physics > Paper 1
33 cards
quiz!
Paper 1 Biology
47 cards
quiz
649 cards
QUIZ
Geography > All core knowledge > PHYSICAL LANDSCAPE IN UK
36 cards
Teacher
Quiz
Clutch > Psychological Assessment
60 cards
quiz
POI MPC
41 cards
Quiz
Chemistry triple GCSE
10 cards