Presentation is loading. Please wait.

Presentation is loading. Please wait.

© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access.

Published byBrook Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access."— Presentation transcript:

1 © ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 4 Developing Access Control Policy Framework

2 © ITT Educational Services, Inc. All rights reserved.Page 2 IS3230 Access Security Class Agenda 10/8/15  Learning Objectives  Lesson Presentation and Discussions.  Discussion of class project  Lab Activities will be performed in class..  Assignments will be given in class.  Break Times. 10 Minutes break in every 1 Hour.  Note: Submit all Assignment and labs due today.

3 © ITT Educational Services, Inc. All rights reserved.Page 3 IS3230 Access Security Learning Objective and Key Concepts Learning Objective  Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access. Key Concepts  Regulatory laws concerning unauthorized access  Security breaches  Organization-wide authorization and access policy  Access control and data classification policies

4 © ITT Educational Services, Inc. All rights reserved.Page 4 IS3230 Access Security Regulatory laws concerning unauthorized access  Regulators have created a large and growing set of regulations and frameworks aimed at enforcing protection of information, privacy, and transparency of information.  For example, HIPAA for healthcare, GLBA for financial services, and Sarbanes-Oxley for public companies.

5 © ITT Educational Services, Inc. All rights reserved.Page 5 IS3230 Access Security Motivation  Congress to passed Sarbanes-Oxley Act of 2002 (SOX)  To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities law.  All of these systems employ relational databases, and these projects include database security and auditing implementations.

6 © ITT Educational Services, Inc. All rights reserved.Page 6 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA)  Also called Financial Services Modernization Act or Citigroup Relief Act.  Defines various requirements designed to protect the privacy of customers financial institution.

7 © ITT Educational Services, Inc. All rights reserved.Page 7 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA)  Ensure the security and privacy of customer information  Protect against threats to the security and integrity of customer information  Protect against unauthorized access and/or usage of this information that could result in harm or inconvenience to the customer

8 © ITT Educational Services, Inc. All rights reserved.Page 8 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  SOA addresses many areas that affect the accuracy and transparency of financial reporting.  To enforces accountability for financial record keeping and reporting at publicly traded corporations

9 © ITT Educational Services, Inc. All rights reserved.Page 9 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  IT people focus on Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting.

10 © ITT Educational Services, Inc. All rights reserved.Page 10 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  It requires management’s development and monitoring of procedures and controls for making assertions about the Adequacy of internal controls over financial reporting.  It is management’s responsibility and can not be delegated or abdicated.  Document and evaluate the design and operation of its internal control.

11 © ITT Educational Services, Inc. All rights reserved.Page 11 IS3230 Access Security Health Insurance Portability and Accountability Act of 1996 (HIPAA)  Objective Guarantee health insurance coverage of employees Reduce health care fraud and abuse Protect the health information of individuals against access without consent or authorization

12 © ITT Educational Services, Inc. All rights reserved.Page 12 IS3230 Access Security Access Control Policy Framework  Identifies the importance of protecting assets and leading practices to achieve protection  Beneficial for documenting management understanding and commitment to asset protection

13 © ITT Educational Services, Inc. All rights reserved.Page 13 IS3230 Access Security Policy Mapping 13 Functional Policies ProceduresStandardsGuidelinesBaselines Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies

14 © ITT Educational Services, Inc. All rights reserved.Page 14 IS3230 Access Security Policies  Policies are statements of management intentions and goals  Senior Management support and approval is vital to success  General, high-level objectives  Acceptable use, internet access, logging, information security, etc 14

15 © ITT Educational Services, Inc. All rights reserved.Page 15 IS3230 Access Security Procedures  Procedures are detailed steps to perform a specific task  Usually required by policy  Decommissioning resources, adding user accounts, deleting user accounts, change management, etc 15

16 © ITT Educational Services, Inc. All rights reserved.Page 16 IS3230 Access Security Standards  Standards specify the use of specific technologies in a uniform manner  Requires uniformity throughout the organization  Operating systems, applications, server tools, router configurations, etc 16

17 © ITT Educational Services, Inc. All rights reserved.Page 17 IS3230 Access Security Guidelines  Guidelines are recommended methods for performing a task  Recommended, but not required  Malware cleanup, spyware removal, data conversion, sanitization, etc 17

18 © ITT Educational Services, Inc. All rights reserved.Page 18 IS3230 Access Security Baselines  Baselines are similar to standards but account for differences in technologies and versions from different vendors  Operating system security baselines FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc 18

19 © ITT Educational Services, Inc. All rights reserved.Page 19 IS3230 Access Security Access Control Policies  Explicitly state responsibilities and accountabilities for achieving the framework principles  Establish and embed management’s commitment  Authorize the expenditure of resources  Inform those who need to know  Provide later documents for consultation to verify achievement of objectives

20 © ITT Educational Services, Inc. All rights reserved.Page 20 IS3230 Access Security Access Control Procedures and Guidelines Procedures:  Tell how to do something  Step-by-step means to accomplish a task  Become “knowledge” transfer

21 © ITT Educational Services, Inc. All rights reserved.Page 21 IS3230 Access Security Access Control Procedures and Guidelines (Continued) Guidelines:  Are generally accepted practices  Not mandatory  Allow implementation  May achieve objective through alternate means

22 © ITT Educational Services, Inc. All rights reserved.Page 22 IS3230 Access Security Password Management Controls  Log accesses and monitor activities  Validation programs  Enforce password changes at reasonable intervals  Expiry policy to lock accounts after a period of nonuse

23 © ITT Educational Services, Inc. All rights reserved.Page 23 IS3230 Access Security Password Management Controls (Continued)  Audit logs to review for successful and failed attempts  Password policy  Privacy policy

24 © ITT Educational Services, Inc. All rights reserved.Page 24 IS3230 Access Security Password Control Issues  Users: Choose easy to guess passwords Share passwords Often forget passwords  Password vulnerable to hacker attacks

25 © ITT Educational Services, Inc. All rights reserved.Page 25 IS3230 Access Security Discussion on Security Breaches

26 © ITT Educational Services, Inc. All rights reserved.Page 26 IS3230 Access Security Access Control Failures  People: insiders and outsiders.  Technology

27 © ITT Educational Services, Inc. All rights reserved.Page 27 IS3230 Access Security Access Control Principles  Minimal privilege or exposure  Regular monitoring of access privileges  Need to know basis for allowing access  Physical, logical, and integrated access controls  Monitor logs and correlate events across systems

28 © ITT Educational Services, Inc. All rights reserved.Page 28 IS3230 Access Security Layered Security and Defense-in- Depth Mechanisms Need to Know PhysicalRBAC MAC Least Privilege Layered Security Defense-in-Depth Security Firewalls Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) Operating System (OS)

29 © ITT Educational Services, Inc. All rights reserved.Page 29 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing 54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Rogue Modems47 % Prevalent Insider Threats

30 © ITT Educational Services, Inc. All rights reserved.Page 30 IS3230 Access Security Type of Threat Organizations Reporting Issue Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued) By Edward Cone on 2009-03-25: The survey included 100 IT security professionals and executivesEdward Cone

31 © ITT Educational Services, Inc. All rights reserved.Page 31 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Prevalent Insider Threats

32 © ITT Educational Services, Inc. All rights reserved.Page 32 IS3230 Access Security Type of Threat Organizations Reporting Issue Rogue Modems47 % Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued)

33 © ITT Educational Services, Inc. All rights reserved.Page 33 IS3230 Access Security  What functions do the users perform?  Are any of the functions incompatible?  Do some of the functions cause conflicts of duties?  How will conflicting duties or functions be evaluated and reviewed?  How will separation of duties be reviewed and approved? How Much Access will the User Need?

34 © ITT Educational Services, Inc. All rights reserved.Page 34 IS3230 Access Security  What internal controls, administrative, technical, and operational, are in place?  Who will review the controls and how often?  Will information be shared internally, externally, or both?  Is approval required before sharing data externally?  Is a data classification policy in place? How Much Access will the User Need? (Continued)

35 © ITT Educational Services, Inc. All rights reserved.Page 35 IS3230 Access Security  Contract strategic partner and legal requirements  Authentication methods, data classification, and data storage and recovery  Means of sharing data  Monitor access and violations  Service level agreements Third Party Considerations

36 © ITT Educational Services, Inc. All rights reserved.Page 36 IS3230 Access Security Security Awareness Training Facts Information technology (IT) security surveys conducted by well-known accounting firms found the following:  Many organizations have some awareness training.  Most awareness programs omitted important elements.  Less than 25% of organizations had no way to track awareness program effectiveness. Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx

37 © ITT Educational Services, Inc. All rights reserved.Page 37 IS3230 Access Security Class Project  Research and write 3 pages Access security policy for a organization.  Use the appropriate research writing style recommended by the School  Submit your research outline in the next class.

38 © ITT Educational Services, Inc. All rights reserved.Page 38 IS3230 Access Security Lab Activities  Lab # 4: Identify and Classify Data for Access Control Equipment.  Complete the lab activities and submit the answers to the next class.

39 © ITT Educational Services, Inc. All rights reserved.Page 39 IS3230 Access Security Unit 4 Assignments  Complete Chapter 4 Assessment-Page 95 and 96  Question 1 to 12  Print and Submit in the next class.  Reading assignment: Read Chapters 5 before the next class.

Download ppt "© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access."

Similar presentations

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google