CHAPTER 14 Access Control Laws, Policies, and Standards
by Mike Chapple
Access Control and Identity Management, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Contents
- Preface
- Acknowledgments
- About the Author
- Dedication
- CHAPTER 1 Access Control Framework
- CHAPTER 2 Business Drivers for Access Controls
- CHAPTER 3 Human Nature and Organizational Behavior
- The Human Element
- Organizational Structure and Access Control Strategy
- Job Rotation and Position Sensitivity
- Requirement for Periodic Vacation
- Separation of Duties
- Responsibilities of Access Owners
- Training Employees
- Ethics
- Best Practices for Handling Human Nature and Organizational Behavior
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- CHAPTER 4 Assessing Risk and Its Impact on Access Control
- CHAPTER 5 Access Control in the Enterprise
- Access Control Lists (ACLs) and Access Control Entries (ACEs)
- Access Control Models
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Rule-Based Access Control (RuBAC)
- Risk-Adaptive Access Control (RAdAC)
- Authentication Factors
- Types of Factors
- Factor Usage Criteria
- How Does Kerberos Authentication Work?
- Use of Symmetric Key and Trusted Third Parties for Authentication
- Key Distribution Center (KDC)
- Authentication Tickets
- Potential Weaknesses
- Kerberos in a Business Environment
- Network Access Control
- Wireless IEEE 802.11 LANs
- Single Sign-On (SSO)
- Best Practices for Handling Access Controls in an Enterprise Organization
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- CHAPTER 6 Mapping Business Challenges to Access Control Types
- CHAPTER 7 Access Control System Implementations
- Transforming Access Control Policies and Standards into Procedures and Guidelines
- Identity Management and Access Control
- Size and Distribution of Staff and Assets
- Multilayered Access Control Implementations
- Access Controls for Employees, Remote Employees, Customers, and Business Partners
- Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
- Intranets—Internal Business Operations and Communications
- Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
- Secure E-Commerce Sites with Encryption
- Secure Online Banking Access Control Implementations
- Logon/Password Access
- Identification Imaging and Authorization
- Federated Identities and Third Party Identity Services
- Best Practices for Access Control Implementations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- CHAPTER 8 Access Control for Information Systems
- Access Control for Data
- Access Control for File Systems
- Access Control for Executables
- Microsoft Windows Workstations and Servers
- Linux
- Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems
- Best Practices for Access Controls for Information Systems
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- CHAPTER 9 Physical Security and Access Control
- Physical Security
- Designing a Comprehensive Plan
- Biometric Access Control Systems
- Technology-Related Access Control Solutions
- Outsourcing Physical Security—Pros and Cons
- Best Practices for Physical Access Controls
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 Access Control Solutions for Remote Workers
- Growth in Mobile Work Force
- Remote Access Methods and Techniques
- Access Protocols to Minimize Risk
- Remote Authentication Protocols
- Network Authentication Protocols
- Virtual Private Networks (VPNs)
- Web Authentication
- Best Practices for Remote Access Controls to Support Remote Workers
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Public Key Infrastructure and Encryption
- Public Key Infrastructure (PKI)
- Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation
- What PKI Is and What It Is Not
- What Are the Potential Risks Associated with PKI?
- Implementations of Business Cryptography
- Certificate Authorities (CAs) and Digital Certificate Management
- Best Practices for PKI Use Within Large Enterprises and Organizations
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Testing Access Control Systems
- Purpose of Testing Access Control Systems
- Software Development Life Cycle and the Need for Testing Software
- Security Development Life Cycle and the Need for Testing Security Systems
- Security Monitoring, Incident Handling, and Testing
- Performing the Access Control System Penetration Test
- Preparing the Final Test Report
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 Access Control Assurance
- What Is Information Assurance?
- How Can Information Assurance Be Applied to Access Control Systems?
- What Are the Goals of Access Control System Monitoring and Reporting?
- What Checks and Balances Can Be Implemented?
- Audit Trail and Audit Log Management and Parsing
- Audit Trail and Audit Log Reporting Issues and Concerns
- Security Information and Event Management (SIEM)
- Best Practices for Performing Ongoing Access Control System Assurance
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- CHAPTER 14 Access Control Laws, Policies, and Standards
- U.S. Compliance Laws and Regulations
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX) Act
- Family Educational Rights and Privacy Act (FERPA)
- Communications Assistance for Law Enforcement Act (CALEA)
- Children’s Internet Protection Act (CIPA)
- Food and Drug Administration (FDA) Regulations
- North American Electric Reliability Council (NERC)
- Homeland Security Presidential Directive 12 (HSPD 12)
- Americans with Disabilities Act (ADA)
- Access Control Security Policy Best Practices
- IT Security Policy Framework
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- ENDNOTE
- U.S. Compliance Laws and Regulations
- CHAPTER 15 Security Breaches and the Law
- Appendix A Answer Key
- Appendix B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© fandijki/ShutterStock, Inc.
CHAPTER |
Access Control Laws, Policies, and Standards |
WHILE MANY ORGANIZATIONS adopt access controls to achieve business objectives, these mechanisms are also adopted for many other reasons. This chapter examines the laws and regulations governing information security and the ways that complying with these regulations drives the use of access controls. This chapter also discusses how organizations use policies, standards, procedures, and guidelines to achieve control objectives.
You will read in this chapter what happens when access controls fail. Security breaches can have serious implications ranging from loss of profitability to fines and prison time. The goal of this chapter is to highlight the important role access control plays in the larger scheme of business, governmental regulation, and the operation of critical infrastructures such as the electricity grid.
Chapter 14 Topics
This chapter covers the following topics and concepts:
- U.S. compliance laws and regulations concerning IT
- Access control security policy best practices
- Where access control fits into an overall IT security framework
- Examples of access control policies, standards, procedures, and guidelines
Chapter 14 Goals
When you complete this chapter, you will be able to:
- Explain the major U.S. compliance laws and how they affect IT
- Utilize best practices to create secure access control systems
- Understand how access control fits into an overall IT security framework
- Use examples and case studies to design your own access control policies, standards, procedures, and guidelines
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.