SOLUTION: Colorado State Security Control and Implementation of the Omega File Discussion

World Headquarters
Jones & Bartlett Learning
5 Wall Street
Burlington, MA 01803
978-443-5000
info@jblearning.com
www.jblearning.com
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning
directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other
qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above
contact information or send an email to specialsales@jblearning.com.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including
photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC.
Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or
imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement
purposes. All trademarks displayed are the trademarks of the parties noted herein. Access Control, Authentication, and Public Key Infrastructure, Second
Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks
referenced in this product.
There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the
images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies
throughout this product may be real or fictitious, but are used for instructional purposes only.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding
that the publisher is not engaged in rendering legal or other professional service. If legal advice or other expert assistance is required, the service of a
competent professional person should be sought.
Production Credits
Chief Executive Officer: Ty Field
President: James Homer
SVP, Editor-in-Chief: Michael Johnson
SVP, Curriculum Solutions: Christopher Will
Director of Sales, Curriculum Solutions: Randi Roger
Senior Marketing Manager: Andrea DeFronzo
Associate Marketing Manager: Kelly Thompson
VP, Design and Production: Anne Spencer
VP, Manufacturing and Inventory Control: Therese Connell
Manufacturing and Inventory Control Supervisor: Amy Bacus
Editorial Management: High Stakes Writing, LLC,
President: Lawrence J. Goodrich
Senior Editor, HSW: Ruth Walker
Senior Editorial Assistant: Rainna Erikson
Production Manager: Susan Schultz
Composition: Gamut+Hue, LLC
Cover Design: Kristin E. Parker
Director of Photo Research and Permissions: Amy Wrynn
Rights & Photo Research Assistant: Joseph Veiga
Cover Image: © HunThomas/ShutterStock, Inc.
Chapter Opener Image: © Rodolfo Clix/Dreamstime.com
Printing and Binding: Edwards Brothers Malloy
Cover Printing: Edwards Brothers Malloy
ISBN: 978-1-284-03159-1
Library of Congress Cataloging-in-Publication Data
Not available at time of printing.
6048
Printed in the United States of America
17 16 15 14 13 10 9 8 7 6 5 4 3 2 1
Contents
Preface
Acknowledgments
PART ONE
The Need for Access Control Systems
CHAPTER 1
Access Control Framework
Access and Access Control
What Is Access?
What Is Access Control?
Principal Components of Access Control
Access Control Systems
Access Control Subjects
Access Control Objects
Access Control Process
Identification
Authentication
Authorization
Logical Access Controls
Logical Access Controls for Subjects
Group Access Controls
Logical Access Controls for Objects
Authentication Factors
Something You Know
Something You Have
Something You Are
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2
Assessing Risk and Its Impact on Access Control
Definitions and Concepts
Threats and Vulnerabilities
Access Control Threats
Access Control Vulnerabilities
Risk Assessment
Quantitative Risk Assessment
Qualitative Risk Assessment
Risk Management Strategies
Value, Situation, and Liability
Potential Liability and Non-Financial Impact
Where Are Access Controls Needed Most?
How Secure Must the Access Control Be?
The Utility of Multilayered Access Control Systems
Case Studies and Examples
Private Sector
Public Sector
Critical Infrastructure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3
Business Drivers for Access Controls
Business Requirements for Asset Protection
Importance of Policy
Senior Management Role
Classification of Information
Classification Schemes
Personally Identifiable Information (PII)
Privacy Act Information
Competitive Use of Information
Valuation of Information
Business Drivers
Cost-Benefit Analysis
Risk Assessment
Business Facilitation
Cost Containment
Operational Efficiency
IT Risk Management
Controlling Access and Protecting Value
Importance of Internal Access Controls
Importance of External Access Controls
Implementation of Access Controls with Respect to Contractors, Vendors, and Third Parties
Examples of Access Control Successes and Failures in Business
Case Study in Access Control Success
Case Study in Access Control Failure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4
Access Control Policies, Standards, Procedures, and Guidelines
U.S. Compliance Laws and Regulations
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley (SOX) Act
Family Educational Rights and Privacy Act (FERPA)
Communications Assistance for Law Enforcement Act (CALEA)
Children’s Internet Protection Act (CIPA)
21 CFR Part 11
North American Electric Reliability Council (NERC)
Homeland Security Presidential Directive 12 (HSPD 12)
Access Control Security Policy Best Practices
Private Sector—Enterprise Organizations
Public Sector—Federal, State, County, and City Government
Critical Infrastructure, Including Utilities and Transportation
IT Security Policy Framework
What Policies Are Needed for Access Controls?
What Standards Are Needed to Support These Policies?
What Procedures Are Needed to Implement These Policies?
What Guidelines Are Needed for Departments and End Users?
Examples of Access Control Policies, Standards Procedures, and Guidelines
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
ENDNOTE
CHAPTER 5
Security Breaches and the Law
Laws to Deter Information Theft
U.S. Federal Laws
State Laws
Cost of Inadequate Front-Door and First-Layer Access Controls
Access Control Failures
People
Technology
Security Breaches
Kinds of Security Breaches
Why Security Breaches Occur
Implications of Security Breaches
Private Sector Case Studies
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
PART TWO
Mitigating Risk with Access Control Systems, Authentication, and PKI
CHAPTER 6
Mapping Business Challenges to Access Control Types
Access Controls to Meet Business Needs
Business Continuity
Risk and Risk Mitigation
Threats and Threat Mitigation
Vulnerabilities and Vulnerability Management
Solving Business Challenges with Access Control Strategies
Employees with Access to Systems and Data
Employees with Access to Sensitive Systems and Data
Administrative Strategies
Technical Strategies
Separation of Responsibilities
Least Privilege
Need to Know
Input/Output Controls
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7
Human Nature and Organizational Behavior
The Human Element
Dealing with Human Nature
Pre-Employment Background Checks for Sensitive Positions
Ongoing Observation of Personnel
Organizational Structure and Access Control Strategy
Job Rotation and Position Sensitivity
Requirement for Periodic Vacation
Separation of Duties
Concept of Two-Person Control
Collusion
Monitoring and Oversight
Responsibilities of Access Owners
Training Employees
Acceptable Use Policy
Security Awareness Policy
Ethics
What Is Right and What Is Wrong
Enforcing Policies
Human Resources Involvement
Best Practices for Handling Human Nature and Organizational Behavior
Make Security Practices Common Knowledge
Foster a Culture of Open Discussion
Encourage Creative Risk-Taking
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8
Access Control for Information Systems
Access Control for Data
Data at Rest
Data in Motion
Object-Level Security
Access Control for File Systems
Access Control List
Discretionary Access Control List
System Access Control List
Access Control for Executables
Delegated Access Rights
Microsoft Windows Workstations and Servers
Granting Windows Folder Permissions
Domain Administrator Rights
Super Administrator Rights
UNIX and Linux
UNIX and Linux File Permissions
Linux Intrusion Detection System (LIDS)
The Root Superuser
Supervisory Control and Data Acquisition (SCADA) and Process Control Systems
Best Practices for Access Controls for Information Systems
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9
Physical Security and Access Control
Physical Security
Designing a Comprehensive Plan
Building Security and Access
Points of Entry and Exit
Physical Obstacles and Barriers
Granting Access to Physical Areas Within a Building
Biometric Access Control Systems
Principles of Operation
Types of Biometric Systems
Implementation Issues
Modes of Operation
Biometric System Parameters
Legal and Business Issues
Technology-Related Access Control Solutions
Physical Locks
Electronic Key Management System (EKMS)
Fobs and Tokens
Common Access Cards
Outsourcing Physical Security—Pros and Cons
Benefits of Outsourcing Physical Security
Risks Associated with Outsourcing Physical Security
Best Practices for Physical Access Controls
Case Studies and Examples
Private Sector—Case Studies and Examples
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10
Access Control in the Enterprise
Access Control Lists (ACLs) and Access Control Entries (ACEs)
Access Control Models
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Authentication Factors
Types of Factors
Factor Usage Criteria
Kerberos
How Does Kerberos Authentication Work?
Use of Symmetric Key and Trusted Third Parties for Authentication
Key Distribution Center (KDC)
Authentication Tickets
Principal Weaknesses
Kerberos in a Business Environment
Network Access Control
Layer 2 Techniques
Layer 3 Techniques
CEO/CIO/CSO Emergency Disconnect Prime Directive
Wireless IEEE 802.11 LANs
Access Control to IEEE 802.11 WLANs
Identification
Confidentiality
Authorization
Single Sign-On (SSO)
Defining the Scope for SSO
Configuring User and Role-Based User Access Control Profiles
Common Configurations
Enterprise SSO
Best Practices for Handling Access Controls in an Enterprise Organization
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
PART THREE
Implementing, Testing, and Managing Access Control Systems
CHAPTER 11
Access Control System Implementations
Transforming Access Control Policies and Standards into Procedures and Guidelines
Transform Policy Definitions into Implementation Tasks
Follow Standards Where Applicable
Create Simple and Easy-to-Follow Procedures
Define Guidelines That Departments and Business Units Can Follow
Identity Management and Access Control
User Behavior, Application, and Network Analysis
Size and Distribution of Staff and Assets
Multilayered Access Control Implementations
User Access Control Profiles
Systems Access
Applications Access
File and Folder Access
Data Access
Access Controls for Employees, Remote Employees, Customers, and Business Partners
Remote Virtual Private Network (VPN) Access—Remote Employees and Workers
Intranets—Internal Business Operations and Communications
Extranets—External Supply Chains, Business Partners, Distributors, and Resellers
Secure E-commerce Portals with Encryption
Secure Online Banking Access Control Implementations
Logon/Password Access
Identification Imaging and Authorization
Best Practices for Access Control Implementations
Case Studies and Examples
Private Sector Case Study
Public Sector Example
Critical Infrastructure Case Study
CHAPTER 11 SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12
Access Control Solutions for Remote Workers
Growth in Mobile Work Force
Remote Access Methods and Techniques
Identification
Authentication
Authorization
Access Protocols to Minimize Risk
Authentication, Authorization, and Accounting (AAA)
Remote Authentication Dial In User Service (RADIUS)
Remote Access Server (RAS)
TACACS, XTACACS, and TACACS+
Differences Between RADIUS and TACACS+
Remote Authentication Protocols
Virtual Private Networks (VPNs)
Web Authentication
Knowledge-Based Authentication (KBA)
Best Practices for Remote Access Controls to Support Remote Workers
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13
Public Key Infrastructure and Encryption
Public Key Infrastructure (PKI)
What Is PKI?
Encryption and Cryptography
Business Requirements for Cryptography
Digital Certificates and Key Management
Symmetric Versus Asymmetric Algorithms
Certificate Authority (CA)
Ensuring Integrity, Confidentiality, Authentication, and Non-Repudiation
Use of Digital Signatures
What PKI Is and What It Is Not
What Are the Potential Risks Associated with PKI?
Implementations of Business Cryptography
Distribution
In-House Key Management Versus Outsourced Key Management
Certificate Authorities (CA)
Why Outsourcing to a CA May Be Advantageous
Risks and Issues with Outsourcing to a CA
Best Practices for PKI Use Within Large Enterprises and Organizations
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Example
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14
Testing Access Control Systems
Purpose of Testing Access Control Systems
Software Development Life Cycle and the Need for Testing Software
Planning
Requirements Analysis
Software Design
Development
Testing and Integration
Release and Training
Support
Security Development Life Cycle and the Need for Testing Security Systems
Initiation
Acquisition and Development
Implementation and Testing
Operations and Maintenance
Sunset or Disposal
Information Security Activities
Requirements Definition—Testing the Functionality of the Original Design
Development of Test Plan and Scope
Selection of Penetration Testing Teams
Performing the Access Control System Penetration Test
Assess if Access Control System Policies and Standards Are Followed
Assess if the Security Baseline Definition Is Being Achieved Throughout
Assess if Security Countermeasures and Access Control Systems Are Implemented Properly
Preparing the Final Test Report
Identify Gaps and Risk Exposures and Assess Impact
Develop Remediation Plans for Closing Identified Security Gaps Prioritized by Risk Exposure
Prepare Cost Magnitude Estimate and Prioritize Security Solutions Based on Risk Exposure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15
Access Control Assurance
What Is Information Assurance?
C-I-A Triad
The Five Pillars
Parkerian Hexad
How Can Information Assurance Be Applied to Access Control Systems?
Access Controls Enforce Confidentiality
Access Controls Enforce Integrity
Access Controls Enforce Availability
Training and Information Assurance Awareness
What Are the Goals of Access Control System Monitoring and Reporting?
What Checks and Balances Can Be Implemented?
Track and Monitor Event-Type Audit Logs
Track and Monitor User-Type Audit Logs
Track and Monitor Unauthorized Access Attempts Audit Logs
Audit Trail and Audit Log Management and Parsing
Audit Trail and Audit Log Reporting Issues and Concerns
Security Information and Event Management (SIEM)
Best Practices for Performing Ongoing Access Control System Assurance
Case Studies and Examples
Private Sector Case Study
Public Sector Case Study
Critical Infrastructure Case Study
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A
Answer Key
APPENDIX B
Standard Acronyms
Glossary of Key Terms
References
Index
Preface
Purpose of This Book
This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com).
Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this
series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles
deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified
Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security.
Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in
the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.
The goal of Access Control, Authentication, and Public Key Infrastructure, Second Edition is to provide you with both academic
knowledge and real-world understanding of the concepts behind access controls. These are tools you will use to secure valuable
resources within your organization’s IT infrastructure. The authors’ goal was to provide you with a book that would teach important
concepts first, and act as a useful reference later.
Access control goes beyond the simple username and password. This book approaches access control from a broad perspective,
dealing with every aspect of access controls, from the very low-tech to the cutting edge.
Part 1 of this book defines the components of access control, provides a business framework for implementation, and discusses legal
requirements that impact access control programs.
In Part 2, the risks, threats, and vulnerabilities that are prevalent in information systems and IT infrastructures are addressed with
risk mitigation strategies and techniques. Access control systems and stringent authentication are presented as ways to mitigate risk.
Part 3 provides a resource for students and practitioners who are responsible for implementing, testing, and managing access control
systems throughout the IT infrastructure. Use of public key infrastructures for large organizations and certificate authorities is presented
to solve unique business challenges.
This book is more than just a list of different technologies and techniques. You will come away with an understanding of how an…
Purchase answer to see full
attachment

Haven’t Found The Relevant Content? Hire a Subject Expert to Help You With
SOLUTION: Colorado State Security Control and Implementation of the Omega File Discussion
Post Your Own Question And Get A Custom Answer
Hire Writer
Written Assignments
Get 20% Discount on This Paper
Pages (550 words)
Approximate price: -

Why Choose Us?

Quality Papers

We value our clients. For this reason, we ensure that each paper is written carefully as per the instructions provided by the client. Our editing team also checks all the papers to ensure that they have been completed as per the expectations.

Professional Academic Writers

Over the years, our Written Assignments has managed to secure the most qualified, reliable and experienced team of writers. The company has also ensured continued training and development of the team members to ensure that it keeps up with the rising Academic Trends.

Affordable Prices

Our prices are fairly priced in such a way that ensures affordability. Additionally, you can get a free price quotation by clicking on the "Place Order" button.

On-Time delivery

We pay strict attention to deadlines. For this reason, we ensure that all papers are submitted earlier, even before the deadline indicated by the customer. For this reason, the client can go through the work and review everything.

100% Originality

At Written Assignments, all papers are plagiarism-free as they are written from scratch. We have taken strict measures to ensure that there is no similarity on all papers and that citations are included as per the standards set.

Customer Support 24/7

Our support team is readily available to provide any guidance/help on our platform at any time of the day/night. Feel free to contact us via the Chat window or support email: support@writtenassignments.com.

Try it now!

Order Now to Get 20% Discount

We'll send you the first draft for approval by at
Total price:
$0.00

How our best essay writing service works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

Written Assignments has stood as the world’s leading custom essay writing paper services provider. Once you enter all the details in the order form under the place order button, the rest is up to us.

Essays

Cheapest Essay Writing Service

At Written Assignments, we prioritize all aspects that bring about a good grade such as impeccable grammar, proper structure, zero plagiarism and conformance to guidelines. Our experienced team of writers will help you completed your essays and other assignments.

Admissions

Admission and Business Papers

Be assured that you’ll get accepted to the Master’s level program at any university once you enter all the details in the order form. We won’t leave you here; we will also help you secure a good position in your aspired workplace by creating an outstanding resume or portfolio once you place an order.

Editing

Editing and Proofreading

Our skilled editing and writing team will help you restructure your paper, paraphrase, correct grammar and replace plagiarized sections on your paper just on time. The service is geared toward eliminating any mistakes and rather enhancing better quality.

Coursework

Technical papers

We have writers in almost all fields including the most technical fields. You don’t have to worry about the complexity of your paper. Simply enter as many details as possible in the place order section.