© fandijki/ShutterStock, Inc.
Contents
PART I The Need for Access Control Systems and Identity Management
CHAPTER 1 Access Control Framework
Principal Components of Access Control
Logical Access Controls for Subjects
Logical Access Controls for Objects
CHAPTER 2 Business Drivers for Access Controls
Business Requirements for Asset Protection
Personally Identifiable Information (PII)
Competitive Use of Information
The Business Drivers for Access Control
Controlling Access and Protecting Value
Importance of Internal Access Controls
Importance of External Access Controls
Case Study in Access Control Success
Case Study in Access Control Failure
CHAPTER 3 Human Nature and Organizational Behavior
Pre-Employment Background Checks for Sensitive Positions
Ongoing Observation of Personnel
Organizational Structure and Access Control Strategy
Job Rotation and Position Sensitivity
Requirement for Periodic Vacation
Responsibilities of Access Owners
What Is Right and What Is Wrong
Best Practices for Handling Human Nature and Organizational Behavior
Make Security Practices Common Knowledge
Foster a Culture of Open Discussion
Encourage Creative Risk-Taking
Critical Infrastructure Case Study
CHAPTER 4 Assessing Risk and Its Impact on Access Control
Access Control Vulnerabilities
Value, Situation, and Liability
Potential Liability and Nonfinancial Impact
Where Are Access Controls Needed Most?
How Secure Must the Access Control Be?
Critical Infrastructure Case Study
PART II Implementing Access Control Systems
CHAPTER 5 Access Control in the Enterprise
Access Control Lists (ACLs) and Access Control Entries (ACEs)
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Rule-Based Access Control (RuBAC)
Risk-Adaptive Access Control (RAdAC)
How Does Kerberos Authentication Work?
Use of Symmetric Key and Trusted Third Parties for Authentication
Kerberos in a Business Environment
CEO/CIO/CSO Emergency Disconnect Prime Directive
Access Control to IEEE 802.11 WLANs
Configuring User and Role-Based User Access Control Profiles
Best Practices for Handling Access Controls in an Enterprise Organization
Critical Infrastructure Case Study
CHAPTER 6 Mapping Business Challenges to Access Control Types
Access Controls to Meet Business Needs
Business Continuity and Disaster Recovery
Vulnerabilities and Vulnerability Management
Solving Business Challenges with Access Control Strategies
Employees with Access to Systems and Data
Employees with Access to Sensitive Systems and Data
Access Control System Design Principles
Critical Infrastructure Case Study
CHAPTER 7 Access Control System Implementations
Transforming Access Control Policies and Standards into Procedures and Guidelines
Transform Policy Definitions into Implementation Tasks
Follow Standards Where Applicable
Create Simple and Easy-to-Follow Procedures
Define Guidelines That Departments and Business Units Can Follow
Identity Management and Access Control
User Behavior, Application, and Network Analysis
Size and Distribution of Staff and Assets
Multilayered Access Control Implementations
Access Controls for Employees, Remote Employees, Customers, and Business Partners
Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
Intranets—Internal Business Operations and Communications
Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
Secure E-Commerce Sites with Encryption
Secure Online Banking Access Control Implementations
Identification Imaging and Authorization
Federated Identities and Third Party Identity Services
Best Practices for Access Control Implementations
Critical Infrastructure Case Study
CHAPTER 8 Access Control for Information Systems
Access Control for File Systems
Discretionary Access Control List
Access Control for Executables
Microsoft Windows Workstations and Servers
Granting Windows Folder Permissions
Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
Best Practices for Access Controls for Information Systems
Critical Infrastructure Case Study
CHAPTER 9 Physical Security and Access Control
Designing a Comprehensive Plan
Physical Obstacles and Barriers
Granting Access to Physical Areas Within a Building
Biometric Access Control Systems
Technology-Related Access Control Solutions
Electronic Key Management System (EKMS)
Outsourcing Physical Security—Pros and Cons
Benefits of Outsourcing Physical Security
Risks Associated with Outsourcing Physical Security
Best Practices for Physical Access Controls
Private Sector Case Study and Example
Critical Infrastructure Case Study
CHAPTER 10 Access Control Solutions for Remote Workers
Remote Access Methods and Techniques
Access Protocols to Minimize Risk
Authentication, Authorization, and Accounting (AAA)
Remote Authentication Dial in User Service (RADIUS)
Differences Between RADIUS and TACACS+
Remote Authentication Protocols
Network Authentication Protocols
Virtual Private Networks (VPNs)
Knowledge-Based Authentication (KBA)
Best Practices for Remote Access Controls to Support Remote Workers
Critical Infrastructure Case Study
PART III Managing and Testing Access Control Systems
CHAPTER 11 Public Key Infrastructure and Encryption
Public Key Infrastructure (PKI)
Business Requirements for Cryptography
Digital Certificates and Key Management
Symmetric Versus Asymmetric Algorithms
Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
What PKI Is and What It Is Not
What Are the Potential Risks Associated with PKI?
Implementations of Business Cryptography
In-House Key Management Versus Outsourced Key Management
Certificate Authorities (CAs) and Digital Certificate Management
Why Outsourcing a CA May Be Advantageous
Risks and Issues with Outsourcing a CA
Best Practices for PKI Use Within Large Enterprises and Organizations
Critical Infrastructure Example
CHAPTER 12 Testing Access Control Systems
Purpose of Testing Access Control Systems
Software Development Life Cycle and the Need for Testing Software
Security Development Life Cycle and the Need for Testing Security Systems
Security Monitoring, Incident Handling, and Testing
Requirement Definition—Testing the Functionality of the Original Design
Development of Test Plan and Scope
Selection of Penetration Testing Teams
Performing the Access Control System Penetration Test
Assess if Access Control System Policies and Standards Are Followed
Assess if the Security Baseline Definition Is Being Achieved Throughout
Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
Preparing the Final Test Report
Identify Gaps and Risk Exposures and Assess Impact
Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
CHAPTER 13 Access Control Assurance
What Is Information Assurance?
How Can Information Assurance Be Applied to Access Control Systems?
Access Controls Enforce Confidentiality
Access Controls Enforce Integrity
Access Controls Enforce Availability
Training and Information Assurance Awareness
What Are the Goals of Access Control System Monitoring and Reporting?
What Checks and Balances Can Be Implemented?
Track and Monitor Event-Type Audit Logs
Track and Monitor User-Type Audit Logs
Track and Monitor Unauthorized Access Attempts Audit Logs
Audit Trail and Audit Log Management and Parsing
Audit Trail and Audit Log Reporting Issues and Concerns
Security Information and Event Management (SIEM)
Best Practices for Performing Ongoing Access Control System Assurance
Critical Infrastructure Case Study
CHAPTER 14 Access Control Laws, Policies, and Standards
U.S. Compliance Laws and Regulations
Health Insurance Portability and Accountability Act (HIPAA)
Family Educational Rights and Privacy Act (FERPA)
Communications Assistance for Law Enforcement Act (CALEA)
Children’s Internet Protection Act (CIPA)
Food and Drug Administration (FDA) Regulations
North American Electric Reliability Council (NERC)
Homeland Security Presidential Directive 12 (HSPD 12)
Americans with Disabilities Act (ADA)
Access Control Security Policy Best Practices
Private Sector—Enterprise Organizations
Public Sector—Federal, State, County, and City Government
Critical Infrastructure, Including Utilities and Transportation
Which Policies Are Needed for Access Controls?
What Standards Are Needed to Support These Policies?
Which Procedures Are Needed to Implement These Policies?
What Guidelines Are Needed for Departments and End Users?
Critical Infrastructure Case Study
CHAPTER 15 Security Breaches and the Law
Laws to Deter Information Theft
Cost of Inadequate Front-Door and First-Layer Access Controls
Implications of Security Breaches