Overseeing Compliance of Security Operations ◾ 239
© 2011 by Taylor & Francis Group, LLC
ere are many security constructs that do not t exclusively within people,
process, technology, or environment, and access control is one of those. People
are assigned identity credentials to gain access to physical space and technology.
Technology (e.g., a computer or specic application) may also be assigned an iden-
tity credential. e identity credential is authenticated to prove that the presenter
of the credential is indeed who or what the credential claims them to be. Usually,
privileges are coupled with identity; a privilege is the ability to do something. e
claim of privilege is authorized prior to allowing the action. For example, a claim of
privilege is to enter the front door of the corporate oce. Corporate policy states
the need to present an identity credential and authenticate that the identity belongs
to the bearer of the credential. e implementation and enforcement of this pol-
icy is the identity card reader that also requires the entry of a personal identica-
tion number (PIN) known only to the employee; this is two-factor authentication
via something the employee has (the identity card) and something the employee
knows (the PIN). e privilege to enter the front door is inherent in being a current
employee bearing a valid identity credential.
Privileges are associated with identity either individually (i.e., to that specic
identity) or via a role also assigned to that identity. To continue the example above,
entry into the lobby and past the security desk usually means you can enter the ele-
vator and exit on your oce oor. Additional presentation of an identity/ privilege
credential may be necessary to enter your oce space. Subsequent presentation of a
dierent identity/privilege credential may be necessary to log on to your computer.
e identity/privilege credential may be the same one used to enter the building;
entry into your oce or logon to the computer just requires an additional presenta-
tion and reentry of a PIN. e authentication/authorization process then checks
your ability to perform the action requested and denies/permits according to the
privileges assigned to your identity.
Perhaps a completely separate identity/privilege credential is required to log on
to the computer. For example, an identity card with an embedded radio frequency
identication (RFID) chip may provide access into the building, but a smart card
is necessary to log on to the computer. A smart card has integrated chips in the
card and metal contacts to transmit data through a reader connected to or embed-
ded in the PC. Use of a smart card may also require the entry of a pin or presenta-
tion of a biometric (e.g., ngerprint) for multifactor authentication.
e use of multiple identity/privilege credentials and multifactor authentica-
tion depends entirely on the enterprise business need. If your business is a high
visibility target such as a government installation or a bank, your security prac-
tices warrant such strong safeguards. If yours is a small business of little interna-
tional importance and of little attractiveness to criminal elements, then adjust the
strength of safeguards accordingly. Organizations of any size must also consider the
legislative mandates that govern how to protect the data they process. For example,
a small medical billing company of little international import and low criminal