Access Control and Identity Management, 3rd Edition
- Length: 376 pages
- Edition: 3
- Language: English
- Publisher: Jones & Bartlett Learning
- Publication Date: 2020-10-15
- ISBN-10: 1284198359
- ISBN-13: 9781284198355
- Sales Rank: #215467 (See Top 100 Books)
PART OF THE JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Series meets all standards put forth by CNSS 4011 & 4013A! Access control protects resources against unauthorized viewing, tampering, or destruction. These systems serve as a primary means of ensuring privacy, confidentiality, and prevention of unauthorized disclosure. Revised and updated with the latest data from this fast-paced field, Access Control and Identity Management defines the components of access control, provides a business framework for implementation, and discusses legal requirements that impact access control programs. Focusing on Identity and Security Management, this new edition looks at the risks, threats, and vulnerabilities prevalent in information systems and IT infrastructures and how to handle them. This valuable resource provides both students and professional with details and procedures on implementing access control systems as well as managing and testing those systems.
Cover Title Page Copyright Page Contents Preface Acknowledgments About the Author Dedication CHAPTER 1 Access Control Framework Access and Access Control What Is Access? What Is Access Control? What Is Identity Management? Principal Components of Access Control Access Control Systems Access Control Subjects Access Control Objects Access Control Process Identification Authentication Authorization Logical Access Controls Logical Access Controls for Subjects Group-Based Access Controls Logical Access Controls for Objects Authentication Factors Something You Know Something You Have Something You Are CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 1 ASSESSMENT CHAPTER 2 Business Drivers for Access Controls Business Requirements for Asset Protection Importance of Policy Senior Management Role Classification of Information Classification Schemes Personally Identifiable Information (PII) Privacy Act Information Privacy Controls Catalog Competitive Use of Information Valuation of Information The Business Drivers for Access Control Cost-Benefit Analysis Risk Assessment Business Facilitation Cost Containment Operational Efficiency IT Risk Management Controlling Access and Protecting Value Importance of Internal Access Controls Importance of External Access Controls Case Studies and Examples Case Study in Access Control Success Case Study in Access Control Failure CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 2 ASSESSMENT CHAPTER 3 Human Nature and Organizational Behavior The Human Element Dealing with Human Nature Social Engineering Pre-Employment Background Checks for Sensitive Positions Ongoing Observation of Personnel Organizational Structure and Access Control Strategy Job Rotation and Position Sensitivity Requirement for Periodic Vacation Separation of Duties Concept of Two-Person Control Collusion Monitoring and Oversight Responsibilities of Access Owners Training Employees Acceptable Use Policy Security Awareness Policy Ethics What Is Right and What Is Wrong Enforcing Policies Human Resources Involvement Best Practices for Handling Human Nature and Organizational Behavior Make Security Practices Common Knowledge Foster a Culture of Open Discussion Encourage Creative Risk-Taking Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 3 ASSESSMENT CHAPTER 4 Assessing Risk and Its Impact on Access Control Definitions and Concepts Threats and Vulnerabilities Access Control Threats Access Control Vulnerabilities Risk Assessment Quantitative Risk Assessment Qualitative Risk Assessment Risk Management Strategies Value, Situation, and Liability Potential Liability and Nonfinancial Impact Where Are Access Controls Needed Most? How Secure Must the Access Control Be? Case Studies and Examples Private-Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 4 ASSESSMENT CHAPTER 5 Access Control in the Enterprise Access Control Lists (ACLs) and Access Control Entries (ACEs) Access Control Models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Attribute-Based Access Control (ABAC) Rule-Based Access Control (RuBAC) Risk-Adaptive Access Control (RAdAC) Authentication Factors Types of Factors Factor Usage Criteria How Does Kerberos Authentication Work? Use of Symmetric Key and Trusted Third Parties for Authentication Key Distribution Center (KDC) Authentication Tickets Potential Weaknesses Kerberos in a Business Environment Network Access Control Layer 2 Techniques Layer 3 Techniques CEO/CIO/CSO Emergency Disconnect Prime Directive Wireless IEEE 802.11 LANs Access Control to IEEE 802.11 WLANs Identification Confidentiality Authorization Single Sign-On (SSO) Defining the Scope for SSO Configuring User and Role-Based User Access Control Profiles Common Configurations Enterprise SSO Best Practices for Handling Access Controls in an Enterprise Organization Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 5 ASSESSMENT CHAPTER 6 Mapping Business Challenges to Access Control Types Access Controls to Meet Business Needs Business Continuity and Disaster Recovery Risk and Risk Mitigation Threats and Threat Mitigation Vulnerabilities and Vulnerability Management Solving Business Challenges with Access Control Strategies Employees with Access to Systems and Data Employees with Access to Sensitive Systems and Data Administrative Strategies Technical Strategies Separation of Privileges Least Privilege Need to Know Input/Output Controls Access Control System Design Principles Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 6 ASSESSMENT CHAPTER 7 Access Control System Implementations Transforming Access Control Policies and Standards into Procedures and Guidelines Transform Policy Definitions into Implementation Tasks Follow Standards Where Applicable Create Simple and Easy-to-Follow Procedures Define Guidelines That Departments and Business Units Can Follow Identity Management and Access Control User Behavior, Application, and Network Analysis Size and Distribution of Staff and Assets Multilayered Access Control Implementations User Access Control Profiles System Access Control Lists Applications Access File and Folder Access Data Access Access Controls for Employees, Remote Employees, Customers, and Business Partners Remote Virtual Private Network (VPN) Access—Remote Employees and Workers Intranets—Internal Business Operations and Communications Extranets—External Supply Chains, Business Partners, Distributors, and Resellers Secure E-Commerce Sites with Encryption Secure Online Banking Access Control Implementations Logon/Password Access Identification Imaging and Authorization Federated Identities and Third Party Identity Services Best Practices for Access Control Implementations Case Studies and Examples Private Sector Case Study Public Sector Example Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 7 ASSESSMENT CHAPTER 8 Access Control for Information Systems Access Control for Data Data at Rest Data in Motion Object-Level Security Access Control for File Systems Access Control List Discretionary Access Control List System Access Control List Access Control for Executables Delegated Access Rights Microsoft Windows Workstations and Servers Granting Windows Folder Permissions Domain Administrator Rights Super Administrator Rights Pass-the-Hash Attacks Linux Linux File Permissions The Root Superuser Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Best Practices for Access Controls for Information Systems Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 8 ASSESSMENT CHAPTER 9 Physical Security and Access Control Physical Security Designing a Comprehensive Plan Building Security and Access Points of Entry and Exit Physical Obstacles and Barriers Granting Access to Physical Areas Within a Building Biometric Access Control Systems Principles of Operation Types of Biometric Systems Implementation Issues Modes of Operation Biometric System Parameters Legal and Business Issues Technology-Related Access Control Solutions Physical Locks Electronic Key Management System (EKMS) Fobs and Tokens Common Access Cards Outsourcing Physical Security—Pros and Cons Benefits of Outsourcing Physical Security Risks Associated with Outsourcing Physical Security Best Practices for Physical Access Controls Case Studies and Examples Private Sector Case Study and Example Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 9 ASSESSMENT CHAPTER 10 Access Control Solutions for Remote Workers Growth in Mobile Work Force Remote Access Methods and Techniques Identification Authentication Authorization Access Protocols to Minimize Risk Authentication, Authorization, and Accounting (AAA) Remote Authentication Dial in User Service (RADIUS) Remote Access Server (RAS) TACACS, XTACACS, and TACACS+ Differences Between RADIUS and TACACS+ Remote Authentication Protocols Network Authentication Protocols Virtual Private Networks (VPNs) Web Authentication Knowledge-Based Authentication (KBA) Best Practices for Remote Access Controls to Support Remote Workers Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 10 ASSESSMENT CHAPTER 11 Public Key Infrastructure and Encryption Public Key Infrastructure (PKI) What Is PKI? Encryption and Cryptography Business Requirements for Cryptography Digital Certificates and Key Management Symmetric Versus Asymmetric Algorithms Certificate Authority (CA) Ensuring Integrity, Confidentiality, Authentication, and Nonrepudiation Use of Digital Signatures What PKI Is and What It Is Not What Are the Potential Risks Associated with PKI? Implementations of Business Cryptography Distribution In-House Key Management Versus Outsourced Key Management Certificate Authorities (CAs) and Digital Certificate Management Why Outsourcing a CA May Be Advantageous Risks and Issues with Outsourcing a CA Best Practices for PKI Use Within Large Enterprises and Organizations Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Example CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 11 ASSESSMENT CHAPTER 12 Testing Access Control Systems Purpose of Testing Access Control Systems Software Development Life Cycle and the Need for Testing Software Planning Requirements Analysis Software Design Development Testing and Integration Release and Training Support Security Development Life Cycle and the Need for Testing Security Systems Initiation Acquisition and Development Implementation and Testing Operations and Maintenance Sunset or Disposal Security Monitoring, Incident Handling, and Testing Requirement Definition—Testing the Functionality of the Original Design Development of Test Plan and Scope Selection of Penetration Testing Teams Performing the Access Control System Penetration Test Assess if Access Control System Policies and Standards Are Followed Assess if the Security Baseline Definition Is Being Achieved Throughout Assess if Security Countermeasures and Access Control Systems Are Implemented Properly Preparing the Final Test Report Identify Gaps and Risk Exposures and Assess Impact Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 12 ASSESSMENT CHAPTER 13 Access Control Assurance What Is Information Assurance? C-I-A Triad The Five Pillars The Parkerian Hexad How Can Information Assurance Be Applied to Access Control Systems? Access Controls Enforce Confidentiality Access Controls Enforce Integrity Access Controls Enforce Availability Training and Information Assurance Awareness What Are the Goals of Access Control System Monitoring and Reporting? What Checks and Balances Can Be Implemented? Track and Monitor Event-Type Audit Logs Track and Monitor User-Type Audit Logs Track and Monitor Unauthorized Access Attempts Audit Logs Audit Trail and Audit Log Management and Parsing Audit Trail and Audit Log Reporting Issues and Concerns Security Information and Event Management (SIEM) Best Practices for Performing Ongoing Access Control System Assurance Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 13 ASSESSMENT CHAPTER 14 Access Control Laws, Policies, and Standards U.S. Compliance Laws and Regulations Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Act Family Educational Rights and Privacy Act (FERPA) Communications Assistance for Law Enforcement Act (CALEA) Children’s Internet Protection Act (CIPA) Food and Drug Administration (FDA) Regulations North American Electric Reliability Council (NERC) Homeland Security Presidential Directive 12 (HSPD 12) Americans with Disabilities Act (ADA) Access Control Security Policy Best Practices Private Sector—Enterprise Organizations Public Sector—Federal, State, County, and City Government Critical Infrastructure, Including Utilities and Transportation IT Security Policy Framework Which Policies Are Needed for Access Controls? What Standards Are Needed to Support These Policies? Which Procedures Are Needed to Implement These Policies? What Guidelines Are Needed for Departments and End Users? Case Studies and Examples Private Sector Case Study Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 14 ASSESSMENT ENDNOTE CHAPTER 15 Security Breaches and the Law Laws to Deter Information Theft U.S. Federal Laws State Laws Cost of Inadequate Front-Door and First-Layer Access Controls Access Control Failures People Technology Security Breaches Kinds of Security Breaches Why Security Breaches Occur Implications of Security Breaches Case Studies and Examples Private Sector Case Studies Public Sector Case Study Critical Infrastructure Case Study CHAPTER SUMMARY KEY CONCEPTS AND TERMS CHAPTER 15 ASSESSMENT Appendix A Answer Key Appendix B Standard Acronyms Glossary of Key Terms References Index
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.