Access controls limit who can be in a specific area and what they can do once they get into an area. This area can be physical, such as a building, or logical, like a file structure. Limiting access on a personal or enterprise network will assist in securing what “lives” on that network, such as documents and personal information. Access controls are a cornerstone to a secure and vital network.
An important part of any access control system is creating clear guidelines and instructions for using it. In this section, you will learn how to use policies and standards as the foundation for creating access control system guidelines and procedures. The following are items to help you get started:
Everything starts with a policy. A policy specifies the requirements or rules that need to be followed. It sets the direction for the organization. An example of a policy is an acceptable use policy stating how employees may use employer-owned computer resources, including the network and systems. A standard specifies how to support the policy. The standards can be industry standards or organization-specific, or a combination of both. Guidelines provide recommendations on how the requirements are to be met. Procedures define how the policies, standards, and guidelines will be implemented. An example of this process is:
There are various approaches an organization can take when implementing access controls. You should consider each approach when creating procedures. Two of these approaches are the phased approach and prioritization.
A phased approach may be used when an organization has specific controls in place that ensure all steps that are related to each other are resolved together. In other words, changing one control does not affect another control. If an organization has the time to address all problems, a phased approach may be used.
A prioritization approach is used when an organization has limited resources and wants to resolve the important processes first.
A phased approach starts at the beginning and works through to the end, but only on one section of a project at a time. For example, a systems administrator performs an assessment of the infrastructure, determines the goals, and sets the procedures based on the goals. He or she must then implement the procedure. After all systems have been configured, they must be tested and the results evaluated. Let’s say a user named Kevin breached the security of a network folder. A systems administrator may review all the steps that led up to the breach. Was Kevin correctly granted access to the network? Was Kevin correctly allowed access to a particular folder? Did the access controls on the folder function properly or was there a failure? If there was a failure, why did it occur? Are changes to the access control system required?
A prioritization approach means the administrator deals with procedures and network changes on a case-by-case basis. If an attack has occurred on the network, the administrator may make appropriate changes to adjust for that immediate weakness in the system. For example, if a user breaches network security and accesses a folder without authorization, a prioritization approach would require a systems administrator to resolve the access control failure. Very little testing may be done after the remediation occurs. Prioritization may be used when an organization feels that ranking the tasks from most important to least important will provide an efficient system for resolving the tasks.
Once you decide which approach to take, you can begin turning policy statements into implementation tasks and procedures. Various questions that need to be addressed are:
Transforming policies into implementation procedures ensures that all business units are aware of the policies and security needs of the organization. The implementation procedures formalize the structure and policies of the corporation and allow the organizations within the company to be measured against them. These implementation tasks help ensure a safer organization by having a common mission and implementation method that all employees will follow.
Standards are an important baseline for incorporating security and specifically access controls within an organization. This section examines some of the organizations that set security and technology standards and which standards are important for creating access control implementation procedures.
The NIST National Vulnerability Database (NVD) is a United States repository maintained by the government providing information on standard-based vulnerability management data. The NVD uses the Security Content Automation Protocol (SCAP). Organizations that use the NVD are provided with vulnerability management, security management, and compliance information on software and hardware products and their implementations.
IEEE was created in 1963. This not-for-profit professional organization has created over 1,100 information technology standards. Some of these standards include IEEE 802.1X, which addresses authentication for Layer 2 (bridges and switches) devices when communicating on a network. The standard 802.1AC defines Media Access Control (MAC), and 802.1AE discusses MAC security. The IEEE Standards Association (IEEE-SA) is the standards contributor to IEEE. The IEEE-SA promotes “the engineering process by creating, developing, integrating, sharing, and applying knowledge about electro- and information technologies and sciences.”
NIST was founded in 1901 as a nonregulatory federal agency under the U.S. Department of Commerce. NIST’s mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.” When it comes to information technology, NIST was given direction by the Computer Security Act of 1987, the Cyber Security Research and Development Act of 2002, and the Federal Information Security Management Act (FISMA) of 2002. Under these three acts is the development of cryptographic standards and procedures, guidelines, and best practices for federal IT security. This IT security includes Federal Information Processing Standards (FIPS) and NIST Special Publications.
NIST Special Publication 800-53 Revision 3 provides guidelines for selecting and specifying security controls for information systems.
The Federal Information Security Modernization Act (FISMA) sets forth security requirements for all federal government agencies. It requires each federal agency to “develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided and managed by another agency, contractor, or another source.” NIST sets the FISMA standards for federal IT systems.
You might see the “M” in FISMA used to mean “Management” or “Modernization.” The original Federal Information Security Management Act was passed in 2002 to set federal cybersecurity requirements. Congress later updated the law in 2014 and kept the acronym the same when they passed the Federal Information Security Modernization Act.
According to FISMA, an information security policy should consist of:
As previously discussed, you must understand risk to appropriately identify or create security policies for your organization. You should use your knowledge of that risk to implement a framework of controls. FISMA has built a risk management framework that you can apply to new and current systems to manage your risk:
ISO is the largest developer and publisher of international standards. ISO is not associated with any government entity but works with the public and private sectors. Approximately 18,000 standards have been established through ISO, including:
ISO develops standards based on recommendations from industries and those that may be affected by the standard. The recommendation is passed on to an ISO member and the technical committee that would create the standard. If the technical committee feels that the standard is needed and is a global requirement, the committee discusses the relevance and will work together to develop the standard.
In 2008, IEEE and ISO joined forces to create the Partner Standards Development Organization (PSDO). This organization combines the resources from both governing bodies to “focus on the subjects of information technology, intelligent transport systems, and health informatics.”
An ISO/IEC prefix indicates joint work between ISO and the International Electrotechnical Committee (IEC). Its mission is to provide information about standards and standardization.
The Internet Engineering Task Force (IETF) was formed in 1986. IETF is an international organization that focuses on the Internet and Internet protocols. This includes the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which includes the Application Layer, Transport Layer, Internet Layer, and Data Link Layer (described in RFC 1122). The IETF develops Requests for Comments (RFCs). An RFC addresses the methods and behaviors of Internet systems including routers, switches, and computer systems. Each RFC has its own set of numbers assigned to it. These numbers are never changed. If an RFC needs to be rewritten or have additions, a revised document is written and released. RFCs can be superseded by other RFCs, making the original or previous RFC obsolete. Examples of some RFCs are:
The PCI Security Standards Council (PCI SSC) was developed in 2006 for developing, managing, educating, and providing awareness for the payment card industry (PCI) security standards. These standards include the Data Security Standard (DSS), payment application data security standard, and PIN-entry device requirements. The companies that founded the PCI Security Standards Council are American Express, MasterCard, Visa, Discover, and JCB International.
Payment Card Industry Data Security Standard (PCI DSS) is a security standard for security management, policies and procedures, network architecture, software design, and other protective measures. This standard helps organizations protect customer payment card account data. PCI DSS specifies six primary requirements that merchants need to meet to process credit and debit card transactions:
The PCI DSS is updated every 3 years, using a defined life cycle approach that seeks input from merchants, service providers, banks, and other industry stakeholders. The current version of PCI DSS at the time this book went to press was version 3.2.1, published in May 2018. The PCI SSC frequently publishes updates to the standard, so be sure to check their website at http://pcisecuritystandards.org for the most recent version.
The Center for Internet Security (CIS) in a nonprofit independent community of professionals that provides best practice standards for the secure configuration of network devices such as Apple iPhone, Check Point Firewall software, and Cisco devices, just to name a few. The professionals associated with CIS establish:
CIS promotes consensus-based standards that organizations can use and implement to increase the security, privacy, and integrity of the business and other functions and transactions that occur on the Internet.
Although standards have been established by credible organizations in the United States and internationally, you need to incorporate them into your procedures in a way that’s easy for users to follow. Policies, too, need to be incorporated and expanded upon with details that specify how to perform tasks and when.
Converting a policy into an implementation task requires multiple steps. You must first identify a policy that addresses your needs. Some examples of policies are a password policy and a system configuration policy. You then compare your current system with the system described in the policy. You must perform a gap analysis to understand which steps will need to be implemented.
When managing procedures, establish who may change procedures and under what conditions. Is the person who created procedures the person who needs to change them? Will the person who needs to change them understand how and why the original policies and procedures were put in place? The developers of an organization’s security policies often move on to other programs or other companies. If their thoughts and beliefs behind the design, implementation, and testing of policies and procedures are not well noted or are incomprehensible to new administrators, the policies and procedures become a security risk themselves.
Let’s walk through a policy–standard–procedures–guidelines example for an organization. This example will show you how theory is put into practice:
These steps are put in place to ensure a secure organization and computer systems.
Guidelines are optional actions or controls that are based on policies, standards, and procedures. Guidelines are also recommendations and best practices that are provided by standard bodies such as NIST, ISO, and CIS. Creating guidelines that employees follow can be difficult or easy. How this is determined is based on the steps that were taken beforehand. Previously, you learned about procedures and that they need to be simple and easy to follow. If this philosophy is not adopted, the subsequent steps for implementing security will be much more challenging. When the security teams within an organization focus on security, they must realize that this needs to be accepted by both technical and nontechnical parties. This is where broad-based security training can benefit everyone. Administrators and employees need to understand the value and importance of what they are being asked to do.
Guidelines that may be established based on the password policy example, NIST standards, and password procedures are:
Guidelines within the organization assist in educating administrators. Guidelines identify what is expected of various groups to ensure compliance with policies and standards. Security is a day-to-day mandate and requires everyone to participate in the actions, policies, and guidelines. All employees should receive training to fully understand the value of security to the organization.
An enterprise-wide password database system, also called a single sign-on system, allows individual users to encrypt their user ID and password. These tools allow users to store their user IDs and passwords for multiple systems and applications. The data is encrypted and can be unlocked only by a user’s password. Instead of having to remember several passwords, the user will need to remember only one.