There are various approaches an organization can take when implementing access controls. You should consider each approach when creating procedures. Two of these approaches are the phased approach and prioritization.

A phased approach starts at the beginning and works through to the end, but only on one section of a project at a time. For example, a systems administrator performs an assessment of the infrastructure, determines the goals, and sets the procedures based on the goals. He or she must then implement the procedure. After all systems have been configured, they must be tested and the results evaluated. Let’s say a user named Kevin breached the security of a network folder. A systems administrator may review all the steps that led up to the breach. Was Kevin correctly granted access to the network? Was Kevin correctly allowed access to a particular folder? Did the access controls on the folder function properly or was there a failure? If there was a failure, why did it occur? Are changes to the access control system required?

A prioritization approach means the administrator deals with procedures and network changes on a case-by-case basis. If an attack has occurred on the network, the administrator may make appropriate changes to adjust for that immediate weakness in the system. For example, if a user breaches network security and accesses a folder without authorization, a prioritization approach would require a systems administrator to resolve the access control failure. Very little testing may be done after the remediation occurs. Prioritization may be used when an organization feels that ranking the tasks from most important to least important will provide an efficient system for resolving the tasks.

Once you decide which approach to take, you can begin turning policy statements into implementation tasks and procedures. Various questions that need to be addressed are:

• What is the mission of the implementation? What is the organization trying to achieve? In this case, you are taking a plan of action and putting the controls around it to ensure the policy is implemented.
• What are the factors needed to ensure the policy is met? An organization must consider multiple factors when implementing a policy. Some examples of factors are access controls, secure communications to networks outside of the corporate network, and authentication measures.
• Which tools will you need to address the access controls, secure communications, and authentication? What standards will be followed? Which access control models, such as discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC), will be used? What secure protocols, such as Secure Shell (SSH) or Transport Layer Security (TLS), will be implemented? What authentication methods, such as user ID and password or multifactor authentication, will be implemented?
• How will the methods be implemented? Will they be put in place all at once or in a phased approach? Which risks are associated with the timing of the implementation?
• How will these access, secure communications, and authentication measures be tested? How often will they be tested? What will the organization do with the results?
• How often will the policies be reviewed? How will you document the policies and implementation tasks?

Transforming policies into implementation procedures ensures that all business units are aware of the policies and security needs of the organization. The implementation procedures formalize the structure and policies of the corporation and allow the organizations within the company to be measured against them. These implementation tasks help ensure a safer organization by having a common mission and implementation method that all employees will follow.

IEEE was created in 1963. This not-for-profit professional organization has created over 1,100 information technology standards. Some of these standards include IEEE 802.1X, which addresses authentication for Layer 2 (bridges and switches) devices when communicating on a network. The standard 802.1AC defines Media Access Control (MAC), and 802.1AE discusses MAC security. The IEEE Standards Association (IEEE-SA) is the standards contributor to IEEE. The IEEE-SA promotes “the engineering process by creating, developing, integrating, sharing, and applying knowledge about electro- and information technologies and sciences.”

NIST was founded in 1901 as a nonregulatory federal agency under the U.S. Department of Commerce. NIST’s mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.” When it comes to information technology, NIST was given direction by the Computer Security Act of 1987, the Cyber Security Research and Development Act of 2002, and the Federal Information Security Management Act (FISMA) of 2002. Under these three acts is the development of cryptographic standards and procedures, guidelines, and best practices for federal IT security. This IT security includes Federal Information Processing Standards (FIPS) and NIST Special Publications.

The Federal Information Security Modernization Act (FISMA) sets forth security requirements for all federal government agencies. It requires each federal agency to “develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided and managed by another agency, contractor, or another source.” NIST sets the FISMA standards for federal IT systems.

According to FISMA, an information security policy should consist of:

• Periodic risk assessments
• Policies and procedures based on the risk assessments
• Subordinate plans for providing adequate information security
• Security awareness training
• Periodic testing and evaluation of the effectiveness of information security policies
• Process for planning, implementing, evaluating, and documenting remedial actions
• Procedure for detecting, reporting, and responding to security incidents
• Plans and procedures to ensure continuity of operations

As previously discussed, you must understand risk to appropriately identify or create security policies for your organization. You should use your knowledge of that risk to implement a framework of controls. FISMA has built a risk management framework that you can apply to new and current systems to manage your risk:

• Step 1: Categorize the information system.
• Step 2: Select a baseline of security controls.
• Step 3: Implement the security controls and document how the controls are deployed.
• Step 4: Assess the security controls.
• Step 5: Authorize information system operations based on a determination of risk.
• Step 6: Monitor and assess selected security controls.

ISO is the largest developer and publisher of international standards. ISO is not associated with any government entity but works with the public and private sectors. Approximately 18,000 standards have been established through ISO, including:

• ISO 9001, “Quality Management Systems”
• ISO 31000, “Risk Management—Principles and Guidelines”
• ISO/IEC 27001, “Information Technology—Security Techniques—Information Security Management System Implementation Guidance”
• ISO/IEC 27006, “Information Technology—Security Techniques—Requirements for Bodies Providing Auditing and Certification of Information Security Management Systems”

ISO develops standards based on recommendations from industries and those that may be affected by the standard. The recommendation is passed on to an ISO member and the technical committee that would create the standard. If the technical committee feels that the standard is needed and is a global requirement, the committee discusses the relevance and will work together to develop the standard.

In 2008, IEEE and ISO joined forces to create the Partner Standards Development Organization (PSDO). This organization combines the resources from both governing bodies to “focus on the subjects of information technology, intelligent transport systems, and health informatics.”

The Internet Engineering Task Force (IETF) was formed in 1986. IETF is an international organization that focuses on the Internet and Internet protocols. This includes the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which includes the Application Layer, Transport Layer, Internet Layer, and Data Link Layer (described in RFC 1122). The IETF develops Requests for Comments (RFCs). An RFC addresses the methods and behaviors of Internet systems including routers, switches, and computer systems. Each RFC has its own set of numbers assigned to it. These numbers are never changed. If an RFC needs to be rewritten or have additions, a revised document is written and released. RFCs can be superseded by other RFCs, making the original or previous RFC obsolete. Examples of some RFCs are:

• RFC 1457, which addresses the security-level framework for the Internet
• RFC 1938, which addresses one-time password messages
• RFC 2716, which touches on Transport Layer (Layer 3) security
• RFC 4301, which focuses on the security architecture for Internet Protocol (IP)

The PCI Security Standards Council (PCI SSC) was developed in 2006 for developing, managing, educating, and providing awareness for the payment card industry (PCI) security standards. These standards include the Data Security Standard (DSS), payment application data security standard, and PIN-entry device requirements. The companies that founded the PCI Security Standards Council are American Express, MasterCard, Visa, Discover, and JCB International.

Payment Card Industry Data Security Standard (PCI DSS) is a security standard for security management, policies and procedures, network architecture, software design, and other protective measures. This standard helps organizations protect customer payment card account data. PCI DSS specifies six primary requirements that merchants need to meet to process credit and debit card transactions:

• Building and maintaining a secure network
• Protecting cardholder data
• Maintaining a vulnerability management program
• Implementing strong access control measures
• Regularly monitoring and testing networks
• Maintaining an information security policy

The PCI DSS is updated every 3 years, using a defined life cycle approach that seeks input from merchants, service providers, banks, and other industry stakeholders. The current version of PCI DSS at the time this book went to press was version 3.2.1, published in May 2018. The PCI SSC frequently publishes updates to the standard, so be sure to check their website at http://pcisecuritystandards.org for the most recent version.

The Center for Internet Security (CIS) in a nonprofit independent community of professionals that provides best practice standards for the secure configuration of network devices such as Apple iPhone, Check Point Firewall software, and Cisco devices, just to name a few. The professionals associated with CIS establish:

• Benchmarks detailing best practice security configurations for IT systems
• Benchmark audit tools that enable IT and security professionals to assess their IT systems for compliance with benchmark and security best practices
• Metrics that can be used across organizations to collect and analyze data on security processes and performance outcomes

CIS promotes consensus-based standards that organizations can use and implement to increase the security, privacy, and integrity of the business and other functions and transactions that occur on the Internet.