• Home   /  
  • Archive by category "1"

Is3230 Assignment 8

Presentation on theme: "© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access."— Presentation transcript:

1 © ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 4 Developing Access Control Policy Framework

2 © ITT Educational Services, Inc. All rights reserved.Page 2 IS3230 Access Security Class Agenda 10/8/15  Learning Objectives  Lesson Presentation and Discussions.  Discussion of class project  Lab Activities will be performed in class..  Assignments will be given in class.  Break Times. 10 Minutes break in every 1 Hour.  Note: Submit all Assignment and labs due today.

3 © ITT Educational Services, Inc. All rights reserved.Page 3 IS3230 Access Security Learning Objective and Key Concepts Learning Objective  Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access. Key Concepts  Regulatory laws concerning unauthorized access  Security breaches  Organization-wide authorization and access policy  Access control and data classification policies

4 © ITT Educational Services, Inc. All rights reserved.Page 4 IS3230 Access Security Regulatory laws concerning unauthorized access  Regulators have created a large and growing set of regulations and frameworks aimed at enforcing protection of information, privacy, and transparency of information.  For example, HIPAA for healthcare, GLBA for financial services, and Sarbanes-Oxley for public companies.

5 © ITT Educational Services, Inc. All rights reserved.Page 5 IS3230 Access Security Motivation  Congress to passed Sarbanes-Oxley Act of 2002 (SOX)  To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities law.  All of these systems employ relational databases, and these projects include database security and auditing implementations.

6 © ITT Educational Services, Inc. All rights reserved.Page 6 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA)  Also called Financial Services Modernization Act or Citigroup Relief Act.  Defines various requirements designed to protect the privacy of customers financial institution.

7 © ITT Educational Services, Inc. All rights reserved.Page 7 IS3230 Access Security Gramm-Leach-Bliley Act (GLBA)  Ensure the security and privacy of customer information  Protect against threats to the security and integrity of customer information  Protect against unauthorized access and/or usage of this information that could result in harm or inconvenience to the customer

8 © ITT Educational Services, Inc. All rights reserved.Page 8 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  SOA addresses many areas that affect the accuracy and transparency of financial reporting.  To enforces accountability for financial record keeping and reporting at publicly traded corporations

9 © ITT Educational Services, Inc. All rights reserved.Page 9 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  IT people focus on Section 404, which requires management to report on the effectiveness of the company’s internal control over financial reporting.

10 © ITT Educational Services, Inc. All rights reserved.Page 10 IS3230 Access Security Sarbanes-Oxley Act of 2002 (SOX or SarBox)  It requires management’s development and monitoring of procedures and controls for making assertions about the Adequacy of internal controls over financial reporting.  It is management’s responsibility and can not be delegated or abdicated.  Document and evaluate the design and operation of its internal control.

11 © ITT Educational Services, Inc. All rights reserved.Page 11 IS3230 Access Security Health Insurance Portability and Accountability Act of 1996 (HIPAA)  Objective Guarantee health insurance coverage of employees Reduce health care fraud and abuse Protect the health information of individuals against access without consent or authorization

12 © ITT Educational Services, Inc. All rights reserved.Page 12 IS3230 Access Security Access Control Policy Framework  Identifies the importance of protecting assets and leading practices to achieve protection  Beneficial for documenting management understanding and commitment to asset protection

13 © ITT Educational Services, Inc. All rights reserved.Page 13 IS3230 Access Security Policy Mapping 13 Functional Policies ProceduresStandardsGuidelinesBaselines Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies

14 © ITT Educational Services, Inc. All rights reserved.Page 14 IS3230 Access Security Policies  Policies are statements of management intentions and goals  Senior Management support and approval is vital to success  General, high-level objectives  Acceptable use, internet access, logging, information security, etc 14

15 © ITT Educational Services, Inc. All rights reserved.Page 15 IS3230 Access Security Procedures  Procedures are detailed steps to perform a specific task  Usually required by policy  Decommissioning resources, adding user accounts, deleting user accounts, change management, etc 15

16 © ITT Educational Services, Inc. All rights reserved.Page 16 IS3230 Access Security Standards  Standards specify the use of specific technologies in a uniform manner  Requires uniformity throughout the organization  Operating systems, applications, server tools, router configurations, etc 16

17 © ITT Educational Services, Inc. All rights reserved.Page 17 IS3230 Access Security Guidelines  Guidelines are recommended methods for performing a task  Recommended, but not required  Malware cleanup, spyware removal, data conversion, sanitization, etc 17

18 © ITT Educational Services, Inc. All rights reserved.Page 18 IS3230 Access Security Baselines  Baselines are similar to standards but account for differences in technologies and versions from different vendors  Operating system security baselines FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc 18

19 © ITT Educational Services, Inc. All rights reserved.Page 19 IS3230 Access Security Access Control Policies  Explicitly state responsibilities and accountabilities for achieving the framework principles  Establish and embed management’s commitment  Authorize the expenditure of resources  Inform those who need to know  Provide later documents for consultation to verify achievement of objectives

20 © ITT Educational Services, Inc. All rights reserved.Page 20 IS3230 Access Security Access Control Procedures and Guidelines Procedures:  Tell how to do something  Step-by-step means to accomplish a task  Become “knowledge” transfer

21 © ITT Educational Services, Inc. All rights reserved.Page 21 IS3230 Access Security Access Control Procedures and Guidelines (Continued) Guidelines:  Are generally accepted practices  Not mandatory  Allow implementation  May achieve objective through alternate means

22 © ITT Educational Services, Inc. All rights reserved.Page 22 IS3230 Access Security Password Management Controls  Log accesses and monitor activities  Validation programs  Enforce password changes at reasonable intervals  Expiry policy to lock accounts after a period of nonuse

23 © ITT Educational Services, Inc. All rights reserved.Page 23 IS3230 Access Security Password Management Controls (Continued)  Audit logs to review for successful and failed attempts  Password policy  Privacy policy

24 © ITT Educational Services, Inc. All rights reserved.Page 24 IS3230 Access Security Password Control Issues  Users: Choose easy to guess passwords Share passwords Often forget passwords  Password vulnerable to hacker attacks

25 © ITT Educational Services, Inc. All rights reserved.Page 25 IS3230 Access Security Discussion on Security Breaches

26 © ITT Educational Services, Inc. All rights reserved.Page 26 IS3230 Access Security Access Control Failures  People: insiders and outsiders.  Technology

27 © ITT Educational Services, Inc. All rights reserved.Page 27 IS3230 Access Security Access Control Principles  Minimal privilege or exposure  Regular monitoring of access privileges  Need to know basis for allowing access  Physical, logical, and integrated access controls  Monitor logs and correlate events across systems

28 © ITT Educational Services, Inc. All rights reserved.Page 28 IS3230 Access Security Layered Security and Defense-in- Depth Mechanisms Need to Know PhysicalRBAC MAC Least Privilege Layered Security Defense-in-Depth Security Firewalls Intrusion Prevention System (IPS)/Intrusion Detection System (IDS) Operating System (OS)

29 © ITT Educational Services, Inc. All rights reserved.Page 29 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing 54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Rogue Modems47 % Prevalent Insider Threats

30 © ITT Educational Services, Inc. All rights reserved.Page 30 IS3230 Access Security Type of Threat Organizations Reporting Issue Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued) By Edward Cone on 2009-03-25: The survey included 100 IT security professionals and executivesEdward Cone

31 © ITT Educational Services, Inc. All rights reserved.Page 31 IS3230 Access Security Type of Threat Organizations Reporting Issue Misuse of Portable Storage57 % Software Downloading56 % Peer to Peer (P2P) File Sharing54 % Remote Access Programs53 % Rogue Wireless Fidelity (Wi-Fi) Access Points 48 % Prevalent Insider Threats

32 © ITT Educational Services, Inc. All rights reserved.Page 32 IS3230 Access Security Type of Threat Organizations Reporting Issue Rogue Modems47 % Media Downloading40 % Personal Digital Assistants (PDAs) 40 % Unauthorized Blogging25 % Personal Instant Message (IM) Accounts 24 % Misuse of Portable Storage57 % Prevalent Insider Threats (Continued)

33 © ITT Educational Services, Inc. All rights reserved.Page 33 IS3230 Access Security  What functions do the users perform?  Are any of the functions incompatible?  Do some of the functions cause conflicts of duties?  How will conflicting duties or functions be evaluated and reviewed?  How will separation of duties be reviewed and approved? How Much Access will the User Need?

34 © ITT Educational Services, Inc. All rights reserved.Page 34 IS3230 Access Security  What internal controls, administrative, technical, and operational, are in place?  Who will review the controls and how often?  Will information be shared internally, externally, or both?  Is approval required before sharing data externally?  Is a data classification policy in place? How Much Access will the User Need? (Continued)

35 © ITT Educational Services, Inc. All rights reserved.Page 35 IS3230 Access Security  Contract strategic partner and legal requirements  Authentication methods, data classification, and data storage and recovery  Means of sharing data  Monitor access and violations  Service level agreements Third Party Considerations

36 © ITT Educational Services, Inc. All rights reserved.Page 36 IS3230 Access Security Security Awareness Training Facts Information technology (IT) security surveys conducted by well-known accounting firms found the following:  Many organizations have some awareness training.  Most awareness programs omitted important elements.  Less than 25% of organizations had no way to track awareness program effectiveness. Source: http://www.lumension.com/Resources/Resource-Center/Protect-Vital-Information-Minimize-Insider-Risks.aspx

37 © ITT Educational Services, Inc. All rights reserved.Page 37 IS3230 Access Security Class Project  Research and write 3 pages Access security policy for a organization.  Use the appropriate research writing style recommended by the School  Submit your research outline in the next class.

38 © ITT Educational Services, Inc. All rights reserved.Page 38 IS3230 Access Security Lab Activities  Lab # 4: Identify and Classify Data for Access Control Equipment.  Complete the lab activities and submit the answers to the next class.

39 © ITT Educational Services, Inc. All rights reserved.Page 39 IS3230 Access Security Unit 4 Assignments  Complete Chapter 4 Assessment-Page 95 and 96  Question 1 to 12  Print and Submit in the next class.  Reading assignment: Read Chapters 5 before the next class.

Unformatted text preview: 130 LA B | Encrypt and Decrypt Files with PKI LAB – ASSESSMENT WORKSHEET Encrypt and Decrypt Files with PKI Course Name and Number: IS3230 Student Name: Instructor Name: Lab Due Date: 8/6/15 Overview In this lab, you applied common cryptographic and hashing techniques to ensure message and file transfer integrity and maximize confidentiality. You used GnuPG (GPG), a free encryption utility, to generate a public key to encrypt and decrypt a message. You also used the public key infrastructure (PKI) to send secure messages between two user accounts and verify the integrity of the received files. These tasks helped you understand the use and management of public and private encryption keys for cryptography. Lab Assessment Questions & Answers 1. In a scenario where Nancy and Matthew are using public key encryption, what keys does Nancy have the ability to see? Nancy can view her private key, Matthew's public key and anything that has been encrypted with Matthew's private key 2. In a scenario where Nancy and Matthew are using public key encryption, what keys does Matthew have the ability to see? Matthew can see Nancy's public key 38399_LMxx_Lab08.indd 130 9/10/12 1:20 PM Assessment Worksheet 131 3. If Nancy wishes to send a message to Matthew, what key does she use to encrypt the message? Private key and decrypt with her public so Matthew can view 4. If Matthew receives an encrypted message from Nancy, what key does he use to read it? Nancy's public key 5. If Matthew wishes to send a message to Nancy, what key does he use to encrypt the message? his private key 6. If Nancy receives an encrypted message from Matthew, what key does she use to read it? Matthew's public key Encrypt and Decrypt Files with PKI 38399_LMxx_Lab08.indd 131 9/10/12 1:20 PM 38399_LMxx_Lab08.indd 132 9/10/12 1:20 PM ...
View Full Document

One thought on “Is3230 Assignment 8

Leave a comment

L'indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *