You read about determining the financial impact of a security breach earlier in the chapter. However, security breaches are not only a financial risk. Depending on the information being protected, a security breach could also result in criminal prosecution. Governmental regulations of the healthcare and banking industries, for example, carry heavy criminal penalties as well as fines for companies that fail to prevent a security breach. If you are responsible for securing systems in a regulated industry, the financial impact of a loss is likely less of a concern than the nonfinancial consequences, such as prison time.

You cannot secure everything, so you must prioritize. At the same time, many resources can be grouped to share a single access control. For example, a single point of access control at the entry point of the network may be sufficient to protect all the assets on the network. Unless there is an asset of special importance stored on the network, it is unnecessary to place separate access controls on each asset.

A network diagram, such as the one shown in FIGURE 4-2, is a helpful tool in determining where to place access controls on a network. In Figure 4-2, each of the elements shown is an access control point. The workstations and servers all may have access controls limiting who may log on. The firewall has access controls limiting the traffic that may enter and leave the network. The switch may control which ports are able to view traffic. Finally, the printer may be restricted so that only certain users may access it.

Once you know where the access controls should be placed within the system, the next step is to determine how secure they must be. Again, you should weigh the value of the assets and their relative-risk level against the cost and inconvenience of the access control. A high-priority asset with a risk level of “high” justifies a more sophisticated (and probably more expensive and inconvenient) level of access control than a low-priority asset.

In many cases, a simple username and password system is sufficient to protect the assets in question. For more critical assets, two or more layers of access control provide additional protection. For example, the U.S. government uses a multilayered approach to securing classified information. Classified documents may only be opened and discussed within areas defined as Sensitive Compartmented Information Facilities, or SCIFs. These areas have physical and informational security measures around the perimeter, including armed guards and smart card ID scanners. Once inside the SCIF, a user must provide a fingerprint or retinal scan, as well as a username and password to access the computers and files stored within the SCIF.

You may not ever deal with classified documents, but you should be able to design a multilayered access control system for sensitive information such as health records or banking information. In the private sector, the most common multilayered access control systems use a token or challenge-response device coupled with a username and password.