A. Answer Key
by Tricia Ballad, Bill Ballad, Erin Banks
Access Control, Authentication, and Public Key Infrastructure
- Copyright
- Preface
- Acknowledgments
- ONE. The Need for Access Control Systems
- 1. Access Control Framework
- 2. Assessing Risk and Its Impact on Access Control
- Definitions and Concepts
- Threats and Vulnerabilities
- Value, Situation, and Liability
- Case Studies and Examples
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 2 ASSESSMENT
- 3. Business Drivers for Access Controls
- Business Requirements for Asset Protection
- Classification of Information
- Competitive Use of Information
- Business Drivers
- Controlling Access and Protecting Value
- Examples of Access Control Successes and Failures in Business
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- 4. Access Control Policies, Standards, Procedures, and Guidelines
- U.S. Compliance Laws and Regulations
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Sarbanes-Oxley (SOX) Act
- Family Educational Rights and Privacy Act (FERPA)
- Children's Internet Protection Act (CIPA)
- 21 CFR Part 11
- North American Electric Reliability Council (NERC)
- Homeland Security Presidential Directive 12 (HSPD 12)
- Access Control Security Policy Best Practices
- IT Security Policy Framework
- Examples of Access Control Policies, Standards Procedures, and Guidelines
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 4 ASSESSMENT
- ENDNOTE
- U.S. Compliance Laws and Regulations
- 5. Unauthorized Access and Security Breaches
- Deterring Information Theft
- Cost of Inadequate Front-Door and First-Layer Access Controls
- Access Control Failures
- Security Breaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- TWO. Mitigating Risk with Access Control Systems, Authentication, and PKI
- 6. Mapping Business Challenges to Access Control Types
- Mapping Business Challenges to Types of Control
- Solving Business Challenges with Access Control Strategies
- Case Studies and Examples of Access Control Systems That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- 7. Human Nature and Organizational Behavior
- The Human Element
- Organizational Structure
- Job Rotation and Position Sensitivity
- Requirement for Periodic Vacation
- Separation of Duties
- Responsibilities of Access Owners
- Training Employees
- Ethics
- Best Practices for Handling Human Nature and Organizational Behavior
- Case Studies and Examples of Access Control Systems That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- 8. Access Control for Information Systems
- Access Control for Data
- Access Control for File Systems
- Access Control for Executables
- Microsoft Windows Workstations and Servers
- UNIX and Linux
- Supervisory Control and Data Acquisition (SCADA) and Process Control Systems
- Best Practices for Access Controls for Information Systems
- Case Studies and Examples of Access Control Solutions That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- 9. Physical Security and Access Control
- Physical Security
- Designing a Comprehensive Plan
- Biometric Access Control Systems
- Technology-Related Access Control Solutions
- Outsourcing Physical Security—Pros and Cons
- Best Practices for Physical Access Controls
- Case Studies and Examples of Physical Security and Access Control Systems That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- 10. Access Control in the Enterprise
- Access Control Lists (ACLs) and Access Control Entries (ACEs)
- Access Control Models
- Authentication Factors
- Kerberos
- Network Access Control
- Wireless IEEE 802.11 LANs
- Single Sign-On (SSO)
- Best Practices for Handling Access Controls in an Enterprise Organization
- Case Studies and Examples of Enterprise Access Control Solutions That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- ENDNOTES
- 6. Mapping Business Challenges to Access Control Types
- THREE. Implementing, Testing, and Managing Access Control Systems
- 11. Access Control System Implementations
- Transforming Access Control Policies and Standards into Procedures and Guidelines
- Identity Management and Access Control
- Size and Distribution of Staff and Assets
- Multilayered Access Control Implementations
- Access Controls for Employees, Remote Employees, Customers, and Business Partners
- Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
- Intranets—Internal Business Operations and Communications
- Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
- Secure E-commerce Portals with Minimum SSL 128-Bit Encryption Web Portals
- Secure Online Banking Access Control Implementations
- Encryption—Minimum SSL 128-Bit Encryption Web Portal
- Logon/Password Access
- Identification Imaging and Authorization
- Best Practices for Access Control Implementations
- Case Studies and Examples of Access Control Implementations That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- ENDNOTES
- 12. Access Control Solutions for Remote Workers
- Growth in Mobile Work Force
- Remote Access Methods and Techniques
- Access Protocols to Minimize Risk
- Remote Authentication Protocols
- Virtual Private Networks (VPNs)
- Web Authentication
- Best Practices for Remote Access Controls to Support Remote Workers
- Case Studies and Examples of Remote Access Control Solutions That Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- 13. Public Key Infrastructure and Encryption
- Public Key Infrastructure (PKI)
- Ensuring Integrity, Confidentiality, Authentication, and Non-Repudiation
- What PKI Is and What It Is Not
- What Are the Potential Risks Associated with PKI?
- Implementations of Business Cryptography
- Certificate Authorities (CA)
- Best Practices for PKI Use Within Large Enterprises and Organizations
- Case Studies and Examples of PKI Use Within Large Organizations to Uniquely Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- 14. Testing Access Control Systems
- Purpose of Testing Access Control Systems
- Software Development Life Cycle and the Need for Testing Software
- Security Development Life Cycle and the Need for Testing Security Systems
- Information Security Activities
- Requirements Definition—Testing the Functionality of the Original Design
- Development of Test Plan and Scope
- Selection of Penetration Testing Teams
- Performing the Access Control System Penetration Test
- Preparing the Final Test Report
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- 15. Access Control Assurance
- What Is Information Assurance?
- How Can Information Assurance Be Applied to Access Control Systems?
- What Are the Goals of Access Control System Monitoring and Reporting?
- What Checks and Balances Can Be Implemented?
- Audit Trail and Audit Log Management and Parsing
- Audit Trail and Audit Log Reporting Issues and Concerns
- Security Information and Event Management (SIEM)
- Best Practices for Performing Ongoing Access Control System Assurance
- Case Studies and Examples of Access Control System Assurance Strategies to Solve Business Challenges
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- ENDNOTES
- 11. Access Control System Implementations
- A. Answer Key
- B. Standard Acronyms
- Glossary of Key Terms
- References
CHAPTER 1 Access Control Framework
Policies
B
C
A
Unknown
B
D
C
B
D
A
Administrative
B
Behavioral
CHAPTER 2 Assessing Risk and Its Impact on Access Control
Probability of occurrence
A
Quantitative
B
B
A
A, B, and C
B
B
A
A
B
B
$150,000
ARO = 2
$25,000
CHAPTER 3 Business Drivers for Access Controls
A
Confidential
A
A
A
B
A
Confidentiality agreement
A
A
Confidentiality agreement
A
CHAPTER 4 Access Control Policies, Standards, Procedures, and Guidelines
A
C
B
A
A
Administrative
Publicly traded
A
B
Discretionary
Guidelines
CHAPTER 5 Unauthorized Access and Security Breaches
B
Computer Fraud and Abuse Act
A
B
A
E
A and C
A, B, D, and E
A
A
Vandalism
A
CHAPTER 6 Mapping Business Challenges to Access Control Types
A
Risk avoidance
Risk acceptance
Risk transference
Risk mitigation
Integrity
A
Sensitive
A
C
B
B
B
View full record
CHAPTER 7 Human Nature and Organizational Behavior
Status and wealth
A
A, B, C, and D
C
A
B
Disgruntled
E
A
A and C
Two-person control
A
B
A
CHAPTER 8 Access Control for Information Systems
A
B
ACL
System-audit
Binary large objects, or BLOBs
C
A
A
B
UNIX and Linux
B
Destroy
A and C
CHAPTER 9 Physical Security and Access Control
B
C
B
B and D
D
A
Dark
D
Physiological, behavioral
B
The point at which Type I and Type II errors are equal
D
A
D
B
CHAPTER 10 Access Control in the Enterprise
D
Mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), attribute-based access control (ABAC)
B and C
B
B, C, and E
A
A and C
B
C
A
A
C
CHAPTER 11 Access Control System Implementations
B
ISO
B
B and C
B, C, and E
D
Federal Financial Institutions Examinations Council (FFEIC)
128
C
NIST
CHAPTER 12 Access Control Systems for Remote Workers
B
Authentication, Authorization, and Accounting
B
B, C, and E
A
C
A, C, and D
Hash
A
D
Two-way
Three-way
C
B
CHAPTER 13 Public Key Infrastructure and Encryption
B
D
B and C
A and D
B
A, B, and C
1,024 bits
C
C
B and E
CHAPTER 14 Testing Access Control Systems
A
D
B and C
Nonintrusive
Intrusive
C
A
E
A
A
B
C
C
A, C, and D
CHAPTER 15 Access Control Assurance
Confidentiality, integrity, availability
C
A, C, and D
B
A
Blacklist
Whitelist
A
C
B
B
B
C
-
No Comment