Best practices cover the policies, standards, procedures, and guidelines for a given topic. This section covers best practices for access controls, which can help your organization implement a strong access control environment.
Access control security policies are generally different for enterprise-level organizations than they are for smaller organizations. An enterprise organization may have employees across a wide geographic area, even in multiple countries. These organizations often have a complex organizational structure with several fairly autonomous divisions, each with their own critical assets and access control policies.
Security policies for enterprise organizations must take this complexity into account and balance the business needs of each division with the access control and security needs of the organization as a whole. In this section, you will learn more about how large enterprises manage access control.
An authorization policy is a high-level document that defines how an organization will assign and enforce access control rights. It is important to write a formal authorization policy rather than simply implement random access controls. A written policy defines a high-level strategy for access control security and identifies the organization’s security goals and compliance obligations.
An authorization policy should also take into account the fact that access controls do not exist in a vacuum. Access controls for systems are dependent on physical access controls, and application security is interrelated with systems and data security. An authorization policy defines these relationships and ensures that steps taken to secure one element of an organization’s infrastructure will promote the security of all of the other elements as well.
Securing the data center or other facility that stores sensitive resources is a vitally important part of an access control plan. You can encrypt and protect a database server that holds customer records with a multistage authentication system, but what happens if someone physically steals it? The data is unavailable to those with legitimate access.
An authorization policy for facilities should dictate the following points:
The authorization policy should also anticipate and account for employees who may find the entry system inconvenient and disable it by propping doors open. To compensate, the policy may specify repercussions for employees who undermine the locking mechanisms or simply call for automatically closing and locking doors.
Once you dictate how to secure the data center or other facility, you should secure the systems within that data center as well. This is doubly important for systems that are not stored in a dedicated facility with strong physical security.
A good authorization policy includes goals for securing systems. Some points to include are:
Applications are one of the most common sources of vulnerability in any system. They are often designed with functionality in mind, not security. This can lead to security testing as an afterthought. Because you cannot control the practices of various software vendors, your access control policy should include as many precautions as possible on the systems end to safeguard the environment for which you are responsible.
Key elements to include in the policy are:
You should detail the actual methods for testing and securing third-party applications in a lower-level document. Keep the policy document generic so that it can remain in effect for many years. If the policy dictates specific testing procedures, you would have to update it as technology evolves.
Data access is the core of any authorization policy. Access control for facilities, systems, and applications exists to protect the data stored in those facilities and systems, and the applications used to access and process those data. An authorization policy for data should include these points:
Providing remote access capabilities can greatly increase employees’ productivity by allowing them to do their jobs wherever they need to be, from a hotel room to a job site. However, with increased levels of access come new access control challenges. When every person who connects to the internal network does so from a workstation on that network, you don’t have to worry about communications being hijacked. When employees gain remote access, they can use any Internet connection to access the internal network via a virtual private network (VPN). Because you have no control over those Internet access points, you should always assume the worst—that they are being actively monitored by hackers.
Including the following points in an authorization policy will provide direction for implementing specific controls to secure remote access:
In the public sector, the use of best practices is often required. In the case of access control, best practices are essential to an organization’s information technology infrastructure. In the public sector, you are required by regulation to create access controls to prevent unauthorized access and disclosure to both logical and physical assets. Establishing documented policies, procedures, and safeguards to address the regulations is also often mandatory. Best practices can help meet these regulatory requirements, and groups like NIST often provide organizations in the public sector with a road map to compliance.
Design policies and procedures to lower risks to an acceptable level and ensure that information security is addressed throughout the life cycle of applications and systems.
The Federal Information Security Management Act (FISMA) of 2002 sets forth specific requirements for implementing best practices in federal government agencies. In the public sector, best practices are more than simply recommended guidelines or strategies for successful access control. These legally mandated practices include:
Test policies and procedures annually, at a minimum. The frequency with which you perform tests within a 12-month period depends on the risk involved.
The best practices required by governmental regulations are similar in practice and intent to those used in the private sector.
Modern society depends on complex systems to work. These systems are known as critical infrastructure. Critical infrastructure provides essential services necessary for modern life. This includes water supply; roads, rail, and other transportation networks; sewers; the energy grid; emergency services; communications networks; governmental and military facilities; and more. Best practices for how to handle failure in this infrastructure are critical.
Critical infrastructure assets can fall under the public or private sector. The water supply system is clearly within the public sector domain, while most communications networks are owned by companies in the private sector. Transportation systems often fall under both public and private sectors. Consider Amtrak, for example. It is a private company but it is heavily subsidized by the government. When implementing best practices for critical infrastructure, choose the best practices that apply based on the infrastructure in question.
There are some special considerations to keep in mind when you deal with critical infrastructure, especially with the devices and systems that control elements of that infrastructure. The next section deals with these special considerations in greater depth.
The Department of Defense Information Assurance Certification and Accreditation Process, or DIACAP, is designed to ensure that risk management is a fundamental concern for all information systems within the Department of Defense. It sets out best practices for evaluating the validity of information, ensuring that data have not been tampered with.
Supervisory control and data acquisition (SCADA) process control systems are at the heart of much of society’s critical infrastructure. SCADA systems monitor and control telecommunications, water and waste control, energy, and transportation, among other industries and utilities. SCADA devices use local area network (LAN), wide area network (WAN), and wireless communications infrastructures for monitoring and control purposes. These systems can be very complex. The systems are used for everything from monitoring the temperature in a room within an electrical substation to monitoring all of the activity in a waste management plant. Access controls to these devices are critical.
A SCADA system includes hardware, controllers, networks, user interfaces, software, and communications equipment, used together to monitor and manage utilities. SCADA systems have monitors both in close proximity to the control center and offsite.
SCADA systems have the ability to monitor and control utility systems in real time. The monitoring provides readings from meters and sensors to a central facility through devices called remote terminal units (RTUs) to the user interface at regular intervals. The operator at the central facility is able to interact with the SCADA system to modify or override settings as necessary.
This interface, called a human machine interface (HMI), is where the operator views the data that are received and processed. The HMI is connected to a database that gathers information from the RTUs. Programmable logic controllers (PLCs) are also connected to this system. PLCs are designed to generate graphs on logistical information and trends. They also provide access to troubleshooting guides. These devices allow SCADA operators to efficiently monitor and manage the infrastructure.
SCADA systems are a point of risk for the utilities that use them. These systems were often designed with the assumption that they would not be connected to outside networks. They were also designed with misplaced faith in the practice of security through obscurity. The designers of SCADA systems also relied on logical security and did not consider physical security. This has resulted in a critical system that is inherently insecure.
The ISA Security Compliance Institute (ISCI) publishes industry standard guidelines that may be used to certify secure SCADA devices. Devices meeting the ISCI requirements may be awarded the ISASecure Certified Device designation. It is imperative that organizations understand the limitations of SCADA system security. You must physically secure devices and WANs. Strong access controls, such as the following, in both the physical and logical realm are necessary:
Following these practices will make SCADA systems more secure and lessen the risk of a security breach.
It is imperative to conduct a threat and vulnerability assessment of critical infrastructures. Some of the more difficult to handle are those threats and vulnerabilities related to interdependencies and interoperability of the various systems. Understanding these interdependencies is essential to securing the most critical systems. Identifying single-point vulnerabilities is also essential to risk mitigation.
Critical infrastructures are threatened by more than just manmade threats. Natural events can also seriously threaten critical infrastructures. Any plan developed to protect these systems must account for all threats.
One of the first steps you must take when analyzing risk and developing a mitigation plan is to identify which assets are more critical. Determining which systems rely on each other is vital. If a water treatment plant is damaged, how will that affect other services? It is essential that you identify critical points that can cause multiple systems to fail.
Redundancy for these critical systems is also vital to risk mitigation. They must be completely separate systems. Two power lines running on the same path do not achieve redundancy. One event, whether it’s natural or unnatural, could take out both systems. To mitigate risk, infrastructure design must avoid single points of failure.