IAS QUIZ

avatar
Created by
Corbadura Holly

Cards (40)

  • Access Control
    Access control is a security technique that regulates who or what can
    view or use resources in a computing environment.
  • Benefits of Access Control
    Knowing Who’s Coming and Going at All Times
    Keep Track of Employees
    Secure Sensitive Documents and Data
    Reduce Theft and Accidents
    Multi-Property Protection
    No More Worrying About Keys
  • Four Main Access Control Model
    1. Mandatory Access Control or MAC
    2. Discretionary Access Control
    3. Role Based Access Control
    4. Rule Based Access Control
  • 2. Discretionary Access Control
    When using DAC method, the owner decides who has access to the
    resource. So decisions are made directly for subjects. To accomplish this
    we use Access Control Lists (ACL).
    1. Mandatory Access Control or MAC
    MAC is a static access control method. Resources are classified
    using labels. Clearance labels are assigned to users who need to
    work with resources.
  • 3. Role Based Access Control
    When using role-based access control method data access is
    determined by the role within the organization.
  • 4. Rule Based Access Control
    Rule-based access control is based on rules to deny or allow access to resources.
    If the rule is matched we will be denied or allowed access.
  • Identity and Access Management (IAS)
    Also called identity management (IdM), IAM systems fall under the overarching
    umbrella of IT security.
    Identity and access management systems not only identify, authenticate and
    authorize individuals who will be utilizing IT resources, but also the hardware and
    applications employees need to access.
  • Identity and Access Management (IAS)
    Enterprises have traditionally utilized on-premises IAM software for
    their identity and access management policies, but in recent years
    native cloud-based Identity-as-a-Service (IDaaS) solutions from
    vendors like Okta and Centrify have gained traction, as have hybrid
    identity and access management solutions from vendors like
    Microsoft and Amazon that provide cloud-based directories that link
    with on-premises IAM systems.
  • Identity management
    also referred to as identity and access management (IAM)—is the
    overarching discipline for verifying a user’s identity and their level of
    access to a particular system.
  • When do we interact with authentication mechanisms?
    The answer is …. Every day
    When you enter a username and password,
    use a PIN,
    scan your fingerprint,
    tap your bank card,
  • Access Control Decisions
    Institutions of higher education like QCU create, collect, and makes
    available information in support of their educational, healthcare, and
    research missions.
  • Centralized Access Control
    • Rather than maintaining separate accounts on each system, some institutions use a central account database that all systems can authenticate against
    • In many environments, a Windows domain controller functions as the central authentication system
  • Decentralized Access Control
    • Institutions opting for decentralized or distributed user account databases where the verification of authorization is performed by various entities located throughout the campus
  • Disadvantages of Decentralized Access Control
    • They can be duplicative
    • Require coordinated work of several teams
    • Administrative overhead is high since changes may need to be implemented by numerous locations
    • Each location may be maintained by local administrators without the input / coordination of the other teams
  • 2. Access Control Policy
    Institutions should ensure that their policies comply with any applicable
    regulatory requirements such as those currently affecting access to student
    financial aid information and Controlled Unclassified Information (CUI).
  • 3. Access Control Program
    As data, access, and networks continue to expand, institutions have
    an increasing need to manage identities and access.
    Two examples of identity and access management
    In Campus Setting
    In a complex organization
  • User Access Management
    Stages of user access
    life-cycle - from
    determining the types and
    affiliation of institutional
    users and their
    corresponding privileges to
    procedures to revoke and
    disable their access.
  • User Types and Affiliations
    Institutions of higher education have a broad user base with varying degrees of affiliation. One thing
    in common among all members of an institution's constituency is that all require access to some type
    of institutional information for a determined amount of time - they all become users.
  • Formal Affiliation: These are users whose affiliation to the institution is established by formal
    contract, employment, or enrollment. Users in this group include staff members, employee,
    faculty, researchers, and students.
  • Casual Affiliation: These are users whose affiliation to the institution is transitory, periodic,
    mostly informational and not established by a contract or enrollment. Users in this group include
    guests, retirees, donors, parents, library patrons, alumni, and external vendors.
  • 2. User Registration
    Identification is the process of ensuring that a user, program, or device is the entity it
    claims to be.
  • The User registration process generally has four steps:
    Identity Vetting: the collection and validation of identity information.
    Identity Proofing – aligning collected data and matching an actual person to it.
    This can be done either by:
    leveraging a pre-existing relationship with an individual (e.g., individual was a former
    student or a former employee)
    In-person.
    Remotely.
    Creation of a master identity record
    Issuance of credentials
  • 3. Privilege Management
    Privilege management is the set of processes for managing user attributes and policies that
    determine a user's access rights to an information resource.
    Some data may be restricted from general access by users and may require additional levels
    of approval before being made available.
  • Two common problems related to privilege management
    Excessive privilege - happens when a user has more access or
    permissions than the assigned work tasks and/or role requires.
    Creeping privilege - happens when a user account accumulates privileges
    over time as roles and assigned work tasks change. Both problems are
    addressed by periodic review of user access rights.
  • 4. Password Management
    Good Password Practices
    Use strong passwords or long passphrases
    Do NOT write passwords down
    Do NOT share passwords
    Use different passwords for different applications (e.g., work vs personal; shopping, and banking
    vs casual email and Facebook; applications that contain confidential information vs those that do
    not, etc.)
  • 5. Review of Access Rights
    Least privilege and need-to-know access underscore the importance of the
    periodic review of user accounts and their corresponding access rights.
    Dormant user accounts - active user accounts which show no activity for very
    long periods of time - poses an unnecessary risk for unauthorized access to
    confidential data.
  • Information Security Policy (ISP)
    Security threats are constantly evolving, and compliance
    requirements are becoming increasingly complex.
    Organizations large and small must create a comprehensive security
    program to cover both challenges.
  • A few key characteristics make a security policy efficient:
    • it should cover security from end-to-end across the organization,
    be enforceable and practical, have space for revisions and updates, and
    be focused on the business goals of your organization.
  • The Importance of an Information Security Policy
    Creating an effective security policy and taking steps to ensure
    compliance is a critical step to prevent and mitigate security
    breaches.
    To make your security policy truly effective, update it in response to
    changes in your company, new threats, conclusions drawn from
    previous breaches, and other changes to your security posture.
    Make your information security policy practical and enforceable.
    It should have an exception system in place to accommodate
    requirements and urgencies that arise from different parts of the
    organization.
  • 8 Elements of an Information Security Policy
    1. Purpose
    2. Audience
    3. Information security objectives
    4. Authority and access control policy
    5. Data classification
    6. Data support and operations
    7. Security awareness and behavior
    8. Responsibilities, rights, and duties of personnel
  • Purpose
    Create an overall approach to information security.
    Detect and preempt information security breaches such as misuse
    of networks, data, applications, and computer systems.
    Maintain the reputation of the organization, and uphold ethical
    and legal responsibilities.
    Respect customer rights, including how to react to inquiries and
    complaints about non-compliance.
  • Audience
    You may also specify which audiences are out of the scope of the
    policy (for example, staff in another business unit which manages
    security separately may not be in the scope of the policy).
  • Information security objectives
    Guide your management team to agree on well-defined objectives
    for strategy and security.
    Information security focuses on three main objectives:
    1.Confidentiality
    2.Integrity
    3. Availability
  • Authority and access control policy
    Hierarchical pattern— a senior manager may have the authority to
    decide what data can be shared and with whom.
    The security policy may have different terms for a senior
    manager vs. a junior employee.
    • The policy should outline the level of authority over data and IT
    systems for each organizational role.
    Network security policy— users are only able to access company
    networks and servers via unique logins that demand
    authentication, including passwords, biometrics, ID cards, or
    tokens. You should monitor all systems and record all login
    attempts.
  • Data classification
    The policy should classify data into categories, which may include
    “top secret”, “secret”, “confidential” and “public”. Your objective
    in classifying data is:
    To ensure that sensitive data cannot be accessed by individuals
    with lower clearance levels.
    To protect highly important data, and avoid needless security
    measures for unimportant data.
  • Data support and operations
    Data protection regulations— systems that store personal data, or
    other sensitive data, must be protected according to
    organizational standards, best practices, industry compliance
    standards and relevant regulations.
    Most security standards require, at a minimum, encryption, a
    firewall, and anti-malware protection.
    Data backup— encypt data backup according to industry best
    practices. Securely store backup media, or move backup to secure
    cloud storage.
  • Movement of data— only transfer data via secure protocols.
    Encrypt any information copied to portable devices or transmitted
    across a public network.
  • 7. Security awareness and behavior
    Share IT security policies with your staff. Conduct training sessions
    to inform employees of your security procedures and mechanisms,
    including data protection measures, access protection measures,
    and sensitive data classification.
  • Responsibilities, rights, and duties of personnel
    Appoint staff to carry out user access reviews, education, change
    management, incident management, implementation, and
    periodic updates of the security policy.
    Responsibilities should be clearly defined as part of the security
    policy.