IT/244 Information Security Policy

Access Control Policy

Associate Level Material

Appendix F

Access Control Policy

Student Name: Enter Your Name Here

University of Phoenix

IT/244 Intro to IT Security

Instructor’s Name: Enter Your Instructor's Name Here

Date: Enter the date here

IT/244 Intro to IT SecurityPage 1

Access Control Policy

1.Access Control Policy

Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems

1.1.Authentication

Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.

Access controls are a collection of mechanisms that work together to create security architecture to protect the assets of an information system. One of the goals of access control is personal accountability, which is the mechanism that proves someone performed a computer activity at a specific point in time. As each of the four stores associated with Sunica Music and Movies (SMM) will have access to the computerized files, there need to be security measures put in place to protect the financial and customer data.

1.2.Access control strategy

1.2.1.Discretionary access control

Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner is that has the responsibility for the information and has the discretion to dictate access to that information.

The principle of discretionary access control (DAC) dictates that the information owner is the one who decides who gets to access the system(s). This is how most corporate systems operate. DAC authority may be delegated to others who then are responsible for user setup, revocation, and changes (department moves, promotions, and so forth). Most of the common operating systems on the market today (Windows, Macintosh, Unix, Novell’s Net- ware, and so forth) rely on DAC principles for access and operation. The highest management at SMM will be responsible for determining who is granted access and the level that is given.

1.2.2.Mandatory access control

Describe how and why mandatory access control will be used.

In a system that uses mandatory access control (MAC; also called nondiscretionary access control), the system decides who gains access to information based on the concepts of subjects, objects, and labels. MAC is most often seen in military and governmental systems and is rarely seen in the commercial world. In a MAC environment, objects (including data) are labeled with a classification (e.g. Secret, Top Secret, and so forth), and subjects, or users, are cleared to that class of access. MAC may be a bit too much control for SMM at this time; however, it is a possibility for the future of the company.

1.2.3.Role-based access control

Describe how and why role-based access control will be used.

Role-based access control(RBAC) groups users with a common access need. You can assign a role for a group of users who perform the same job functions and require similar access to resources. Role-based controls simplify the job of granting and revoking access by simply assigning users to a group, and then assigning rights to the group for access control purposes. This is especially helpful where there is a high rate of employee turnover or frequent changes in employee roles. SMM has seen a great deal of employee turnover in the past, and needs to be able to rescind access for employees who choose to leave the company for whatever reason. Moreover, as SMM continues to increase its security with improved access to customer and financial files, tis type of security is necessary.

1.3.Remote access

Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)

Remote Access Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access users to communicate with a central server to authenticate dial-in users and authorize their access to the re- quested system or service. For example, you may need to dial-up an external network to gain access for performing work, depositing a file, or picking up a file.

A virtual private network (VPN) is another common means for remote users to access corporate networks. With a VPN, a user connects to the Internet via his or her ISP and initiates a connection to the protected network (often using a RADIUS server), creating a private tunnel between the end points that prevents eavesdropping or data modification. VPNs use strong cryptography to both authenticates senders and receivers of messages and to encrypt traffic so it’s not vulnerable to a man-in-the-middle attack. In addition, many users take advantage of VPN methods to access confidential information such as patient information away from the hospital. This will be ideal for SMM employees to access work information when they are away from the office for one reason or another.

2.References

Merkow, M. (2006) Information Security: Principles and Practices. Prentice Hall. Pearson Education, Inc.

IT/244 Intro to IT SecurityPage 1