© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 4 Developing Access Control Policy Framework
© ITT Educational Services, Inc. All rights reserved.Page 2 IS3230 Access Security Class Agenda 10/8/15 Learning Objectives Lesson Presentation and Discussions. Discussion of class project Lab Activities will be performed in class.. Assignments will be given in class. Break Times. 10 Minutes break in every 1 Hour. Note: Submit all Assignment and labs due today.
© ITT Educational Services, Inc. All rights reserved.Page 3 IS3230 Access Security Learning Objective and Key Concepts Learning Objective Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access. Key Concepts Regulatory laws concerning unauthorized access Security breaches Organization-wide authorization and access policy Access control and data classification policies
© ITT Educational Services, Inc. All rights reserved.Page 4 IS3230 Access Security Regulatory laws concerning unauthorized access Regulators have created a large and growing set of regulations and frameworks aimed at enforcing protection of information, privacy, and transparency of information. For example, HIPAA for healthcare, GLBA for financial services, and Sarbanes-Oxley for public companies.
© ITT Educational Services, Inc. All rights reserved.Page 5 IS3230 Access Security Motivation Congress to passed Sarbanes-Oxley Act of 2002 (SOX) To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities law. All of these systems employ relational databases, and these projects include database security and auditing implementations.
© ITT Educational Services, Inc. All rights reserved.Page 6 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA) Also called Financial Services Modernization Act or Citigroup Relief Act. Defines various requirements designed to protect the privacy of customers financial institution.
© ITT Educational Services, Inc. All rights reserved.Page 7 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA) Ensure the security and privacy of customer information Protect against threats to the security and integrity of customer information Protect against unauthorized access and/or usage of this information that could result in harm or inconvenience to the customer
© ITT Educational Services, Inc. All rights reserved.Page 8 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox) SOA addresses many areas that affect the accuracy and transparency of financial reporting. To enforces accountability for financial record keeping and reporting at publicly traded corporations
© ITT Educational Services, Inc. All rights reserved.Page 9 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox) IT people focus on Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting.
© ITT Educational Services, Inc. All rights reserved.Page 10 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox) It requires management’s development and monitoring of procedures and controls for making assertions about the Adequacy of internal controls over financial reporting. It is management’s responsibility and can not be delegated or abdicated. Document and evaluate the design and operation of its internal control.
© ITT Educational Services, Inc. All rights reserved.Page 11 IS3230 Access Security Health Insurance Portability and Accountability Act of 1996 (HIPAA) Objective Guarantee health insurance coverage of employees Reduce health care fraud and abuse Protect the health information of individuals against access without consent or authorization
© ITT Educational Services, Inc. All rights reserved.Page 12 IS3230 Access Security Access Control Policy Framework Identifies the importance of protecting assets and leading practices to achieve protection Beneficial for documenting management understanding and commitment to asset protection
© ITT Educational Services, Inc. All rights reserved.Page 13 IS3230 Access Security Policy Mapping 13 Functional Policies ProceduresStandardsGuidelinesBaselines Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies
© ITT Educational Services, Inc. All rights reserved.Page 14 IS3230 Access Security Policies Policies are statements of management intentions and goals Senior Management support and approval is vital to success General, high-level objectives Acceptable use, internet access, logging, information security, etc 14
© ITT Educational Services, Inc. All rights reserved.Page 15 IS3230 Access Security Procedures Procedures are detailed steps to perform a specific task Usually required by policy Decommissioning resources, adding user accounts, deleting user accounts, change management, etc 15
© ITT Educational Services, Inc. All rights reserved.Page 16 IS3230 Access Security Standards Standards specify the use of specific technologies in a uniform manner Requires uniformity throughout the organization Operating systems, applications, server tools, router configurations, etc 16
© ITT Educational Services, Inc. All rights reserved.Page 17 IS3230 Access Security Guidelines Guidelines are recommended methods for performing a task Recommended, but not required Malware cleanup, spyware removal, data conversion, sanitization, etc 17
© ITT Educational Services, Inc. All rights reserved.Page 18 IS3230 Access Security Baselines Baselines are similar to standards but account for differences in technologies and versions from different vendors Operating system security baselines FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc 18
© ITT Educational Services, Inc. All rights reserved.Page 19 IS3230 Access Security Access Control Policies Explicitly state responsibilities and accountabilities for achieving the framework principles Establish and embed management’s commitment Authorize the expenditure of resources Inform those who need to know Provide later documents for consultation to verify achievement of objectives
© ITT Educational Services, Inc. All rights reserved.Page 20 IS3230 Access Security Access Control Procedures and Guidelines Procedures: Tell how to do something Step-by-step means to accomplish a task Become “knowledge” transfer
© ITT Educational Services, Inc. All rights reserved.Page 21 IS3230 Access Security Access Control Procedures and Guidelines (Continued) Guidelines: Are generally accepted practices Not mandatory Allow implementation May achieve objective through alternate means
© ITT Educational Services, Inc. All rights reserved.Page 22 IS3230 Access Security Password Management Controls Log accesses and monitor activities Validation programs Enforce password changes at reasonable intervals Expiry policy to lock accounts after a period of nonuse
© ITT Educational Services, Inc. All rights reserved.Page 23 IS3230 Access Security Password Management Controls (Continued) Audit logs to review for successful and failed attempts Password policy Privacy policy
© ITT Educational Services, Inc. All rights reserved.Page 24 IS3230 Access Security Password Control Issues Users: Choose easy to guess passwords Share passwords Often forget passwords Password vulnerable to hacker attacks
© ITT Educational Services, Inc. All rights reserved.Page 25 IS3230 Access Security Discussion on Security Breaches
© ITT Educational Services, Inc. All rights reserved.Page 26 IS3230 Access Security Access Control Failures People: insiders and outsiders. Technology
© ITT Educational Services, Inc. All rights reserved.Page 27 IS3230 Access Security Access Control Principles Minimal privilege or exposure Regular monitoring of access privileges Need to know basis for allowing access Physical, logical, and integrated access controls Monitor logs and correlate events across systems
© ITT Educational Services, Inc. All rights reserved.Page 28 IS3230 Access Security Layered Security and Defense-in- Depth Mechanisms Need to Know PhysicalRBAC MAC Least Privilege Layered Security Defense-in-Depth Security Firewalls Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) Operating System (OS)
© ITT Educational Services, Inc. All rights reserved.Page 29 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing 54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Rogue Modems47 % Prevalent Insider Threats
© ITT Educational Services, Inc. All rights reserved.Page 30 IS3230 Access Security Type of Threat Organizations Reporting Issue Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued) By Edward Cone on : The survey included 100 IT security professionals and executivesEdward Cone
© ITT Educational Services, Inc. All rights reserved.Page 31 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Prevalent Insider Threats
© ITT Educational Services, Inc. All rights reserved.Page 32 IS3230 Access Security Type of Threat Organizations Reporting Issue Rogue Modems47 % Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued)
© ITT Educational Services, Inc. All rights reserved.Page 33 IS3230 Access Security What functions do the users perform? Are any of the functions incompatible? Do some of the functions cause conflicts of duties? How will conflicting duties or functions be evaluated and reviewed? How will separation of duties be reviewed and approved? How Much Access will the User Need?
© ITT Educational Services, Inc. All rights reserved.Page 34 IS3230 Access Security What internal controls, administrative, technical, and operational, are in place? Who will review the controls and how often? Will information be shared internally, externally, or both? Is approval required before sharing data externally? Is a data classification policy in place? How Much Access will the User Need? (Continued)
© ITT Educational Services, Inc. All rights reserved.Page 35 IS3230 Access Security Contract strategic partner and legal requirements Authentication methods, data classification, and data storage and recovery Means of sharing data Monitor access and violations Service level agreements Third Party Considerations
© ITT Educational Services, Inc. All rights reserved.Page 36 IS3230 Access Security Security Awareness Training Facts Information technology (IT) security surveys conducted by well-known accounting firms found the following: Many organizations have some awareness training. Most awareness programs omitted important elements. Less than 25% of organizations had no way to track awareness program effectiveness. Source:
© ITT Educational Services, Inc. All rights reserved.Page 37 IS3230 Access Security Class Project Research and write 3 pages Access security policy for a organization. Use the appropriate research writing style recommended by the School Submit your research outline in the next class.
© ITT Educational Services, Inc. All rights reserved.Page 38 IS3230 Access Security Lab Activities Lab # 4: Identify and Classify Data for Access Control Equipment. Complete the lab activities and submit the answers to the next class.
© ITT Educational Services, Inc. All rights reserved.Page 39 IS3230 Access Security Unit 4 Assignments Complete Chapter 4 Assessment-Page 95 and 96 Question 1 to 12 Print and Submit in the next class. Reading assignment: Read Chapters 5 before the next class.