LEGAL AND SECURITY ISSUES IN ICT

LESSON OUTLINES
ACCESS CONTROL FUNDAMENTALS I

Subject and Object Definition

Accountability process

Identification

Authentication

Authorization

Auditing
 ACCESS CONTROL
q Access control plays a critical role in information
security. It refers to the methods and techniques used
to regulate and manage access to resources, systems,
and data.
q Access control ensures that only authorized
individuals or entities can access and perform actions
on sensitive information. This presentation will provide
an overview of access control principles, models,
techniques, best practices, and challenges in
information security.
q Access control involves managing and controlling
access to resources based on predefined rules and
policies. To understand access control fundamentals, it
is important to define the concepts of subjects and
objects:
 ACCESS CONTROL

Key Concepts
q Subject: In the context of access control, a subject refers to an entity
that can access or interact with a resource. It can be an individual
user, a system process, a program, or any other entity that seeks
access to objects. Subjects are typically associated with identities,
such as usernames, user IDs, or digital certificates, which
authenticate their identities and determine their access privileges.
Examples of subjects include employees, administrators, or
automated processes.
q Object: An object represents a resource or entity that subjects want
to access or interact with. Objects can include files, databases,
network devices, physical assets, or any other element that requires
protection. Each object has specific attributes, such as ownership,
permissions, or security labels, that define the level of access and
actions allowed for subjects. Examples of objects include documents,
servers, routers, or printers.
 ACCESS CONTROL
Access control: Subject and object
q In the context of access control, subjects request access to
objects and access control mechanisms determine whether to
grant or deny that access based on the defined rules and
policies. These rules and policies are typically based on the
security requirements, the subject's identity and attributes, the
object's sensitivity, and the established access control model
(such as discretionary access control, mandatory access
control, or role-based access control).
q Access control mechanisms ensure that subjects can only
access objects for which they have proper authorization. They
enforce restrictions, permissions, and rules to prevent
unauthorized access, maintain data confidentiality, protect
system integrity, and ensure proper accountability. By defining
and implementing appropriate access control policies,
organizations can mitigate the risks associated with
unauthorized access, data breaches, and misuse of
resources.
 ACCOUNTABILITY PROCESS
q Accountability in information security refers to the principle of
assigning responsibility and ensuring that individuals or entities are
answerable for their actions or decisions regarding the security of
information and systems. It involves establishing clear roles,
obligations, and consequences to promote a culture of responsibility
and trust in managing and protecting information assets.
q Accountability processes involve establishing mechanisms to ensure
that individuals or entities are held responsible and answerable for
their actions or omissions related to information security. These
processes help create a culture of responsibility, promote adherence
to security policies, and enable effective incident response and
resolution.
q These processes are used individually or in combination to establish
the identity of individuals or entities within information systems. By
accurately identifying users and entities, organizations can control
access, enforce security policies, and maintain accountability for
actions performed within their systems.
 ACCOUNTABILITY PROCESSES

q Access Controls: Access controls are implemented to ensure that only authorized
individuals can access sensitive information or perform specific actions. User
authentication mechanisms such as passwords, biometrics, or two-factor authentication
help establish the identity of users. By assigning unique user accounts and credentials,
accountability can be established by linking actions and activities to specific individuals.
q Audit Trails: Audit trails capture a record of events, activities, and system actions.
These logs document various activities such as user logins, file accesses, system
changes, and other security-related events. By reviewing audit trails, organizations can
identify and track user actions, detect potential security breaches, and hold individuals
accountable for their actions. Regular analysis of audit logs is essential for ensuring
accountability.
q Role-Based Access Control (RBAC): RBAC is a method of managing access to
resources based on job roles and responsibilities. Each user is assigned specific
permissions and privileges based on their role within the organization. This approach
helps establish accountability as actions can be traced back to specific roles rather than
individual users, simplifying the management of access and accountability.
 SOME COMMON ACCOUNTABILITY PROCESSES IN
INFORMATION SECURITY

q Separation of Duties: Separation of duties is a principle that ensures no single

individual has complete control or authority over critical functions or systems. By
dividing responsibilities among multiple individuals, it reduces the risk of
unauthorized actions or malicious activities. Separation of duties enhances
accountability by requiring collusion among multiple parties to carry out unauthorized
activities.
q Incident Response and Investigation: In the event of a security incident or breach,
an incident response process is initiated to contain and mitigate the impact. As part of
the process, an investigation is conducted to determine the cause and identify the
responsible parties. This helps establish accountability for the breach and facilitates
appropriate actions, such as disciplinary measures or legal proceedings.
q Security Awareness and Training: Accountability in information security can be
strengthened through education and training programs. By promoting a culture of
security awareness, employees are made aware of their responsibilities and the
potential consequences of their actions. Training programs can cover topics such as
data handling, security policies, and best practices, fostering a sense of individual
accountability for maintaining the security of information.
 SOME COMMON ACCOUNTABILITY PROCESSES IN
INFORMATION SECURITY

q Access Control and Authentication: Implementing access

controls and authentication mechanisms ensures that
individuals are granted appropriate access privileges based
on their roles and responsibilities.
q Logging and Auditing: Maintaining comprehensive logs of
system activities, including user actions, system events, and
network traffic, provides an audit trail for accountability
purposes. Regularly reviewing and analyzing these logs can
help detect and investigate security incidents, identify
anomalies, and attribute actions to specific users or systems.
 IDENTIFICATION

q Identification is the process of locating a certain user,

frequently using their login. Authentication, which is
frequently controlled by providing a password, is the
evidence of this user's identity. User access to systems
or privileges can only be granted when a user has
been correctly recognized and validated
q Identification involves uniquely recognizing and
verifying the identity of individuals or entities accessing
systems, networks, or resources. It is the first step in
establishing trust and controlling access to sensitive
information. The identification process helps ensure
that only authorized individuals are granted access
privileges and that their actions can be attributed to
their specific identity.
 KEY ASPECTS OF THE IDENTIFICATION PROCESS
q Usernames and User IDs: Usernames or user IDs are unique identifiers assigned to individuals to distinguish them within
a system or network. They provide a way to associate actions and activities with specific users, enabling accountability.
Usernames are typically used in conjunction with passwords or other authentication factors to verify the identity of users.
q Personal Identification Numbers (PINs): PINs are numeric codes or passwords used to verify the identity of individuals.
They are commonly used in conjunction with username or user ID authentication for systems such as ATMs or smart card-
based access control systems.
q Biometric Identification: Biometric identification involves using unique physiological or behavioral characteristics of
individuals to establish their identity. Examples include fingerprint scanning, iris recognition, facial recognition, voice
recognition, or palm print recognition. Biometric identification provides a highly secure and reliable means of authentication.
q Digital Certificates: Digital certificates are cryptographic credentials that verify the authenticity and integrity of entities in
electronic transactions. They are issued by a trusted third-party called a Certificate Authority (CA) and typically contain
information such as the entity's name, public key, and the CA's digital signature. Digital certificates are widely used in
secure communication protocols like SSL/TLS.
q MAC Addresses: Media Access Control (MAC) addresses are unique identifiers associated with network devices, such as
network interface cards (NICs). They provide a means to identify and differentiate devices on a local network. MAC
addresses are often used for access control in network environments.
 KEY ASPECTS OF THE IDENTIFICATION PROCESS

q IP Addresses: Internet Protocol (IP) addresses are numerical identifiers assigned to devices connected to a network.
While IP addresses are primarily used for network routing, they can also be used for identification purposes, particularly in
conjunction with network logs or access control systems.
q Tokens and Smart Cards: Tokens and smart cards are physical devices that store identification information and provide
a means of authentication. These devices typically contain embedded chips or cryptographic elements that securely store
and transmit identification data.
q Single Sign-On (SSO): Single Sign-On is a process that allows users to authenticate themselves once to gain access to
multiple interconnected systems or applications. SSO typically involves the use of a centralized identity provider that
manages user identities and authentication processes across various systems.
q Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA): Two-factor authentication involves combining
multiple factors for authentication, such as something the user knows (e.g., a password), something the user has (e.g., a
physical token), or something the user is (e.g., a fingerprint). By requiring multiple factors, the identification process
becomes more robust and secure.
q Regulatory Compliance: Identification processes in certain industries or jurisdictions may need to comply with specific
regulatory requirements. For example, financial institutions may be required to adhere to Know Your Customer (KYC)
regulations, which involve stringent identification and verification processes for customers.
 KEY ASPECTS OF THE IDENTIFICATION PROCESS

q Unique Identifiers: Each individual or entity is assigned a unique identifier, often in the form of a username, user ID, or
employee ID. This identifier distinguishes one entity from another and helps track and differentiate their activities within
the system.
q User Accounts: User accounts are created for individuals or entities to associate their unique identifier with specific
access privileges and permissions. These accounts typically include a combination of the unique identifier and a password
or other authentication credentials to verify the identity during the authentication process.
q Registration and Enrollment: During the registration or enrollment process, individuals provide necessary information to
establish their identity within the system.
q Identity Verification: To ensure the accuracy and validity of the claimed identity, organizations may employ various
verification methods. This can involve verifying documents, conducting background checks, or using additional
authentication factors to validate the individual's identity.
q Centralized Identity Management: In larger organizations, a centralized identity management system is often employed
to manage user identities, access controls, and permissions across multiple systems and applications. This helps
streamline the identification process and ensures consistency and coherence in managing user accounts.
 AUTHENTICATION

q Authentication is the process of verifying the claimed

identity of an individual or entity to ensure that they
are who they claim to be. It is used to control access
to systems, networks, applications, or resources.
Authentication confirms that the user or entity has the
necessary credentials or authentication factors to
prove their identity and grant them the appropriate
level of access.
 KEY ASPECTS OF AUTHENTICATION
q Credentials: Credentials are the information or factors provided by the user to authenticate their identity. This
can include passwords, PINs, passphrases, cryptographic keys, or other forms of authentication factors.
q Authentication Factors: Authentication factors are the types of information or evidence used to verify identity.
There are typically three main types of factors:
- Knowledge Factors - Inherence Factors
- Possession Factors - Multi-factor authentication (MFA
q Authentication Methods: There are various methods used for authentication, including:
- Password-based authentication - Biometric authentication
- Token-based authentication - Certificate-based authentication
- Single Sign-On (SSO)
q Authentication Protocols: Authentication protocols define the sequence of steps and mechanisms used to
perform the authentication process. Examples include the widely used protocols like Secure Sockets
Layer/Transport Layer Security (SSL/TLS) for web-based authentication or Kerberos for network-based
authentication.
q Risk-based Authentication: In some cases, risk-based authentication is employed, where the level of
authentication required is based on the assessed risk associated with the user, device, or context of the
authentication attempt. This can involve additional authentication factors or more stringent verification methods
for high-risk scenarios.
 AUTHORIZATION

q Authorization involves determining the access rights

and privileges of authenticated individuals or entities. It
specifies what actions they are allowed to perform or
not to perform on information assets.
q Authorization is the process of granting or denying
access rights and permissions to individuals or entities
based on their authenticated identity and the level of
privileges they are entitled to.
q Authorization ensures that users have the appropriate
level of access necessary to perform their authorized
tasks while preventing unauthorized access to
sensitive information.
 AUTHORIZATION - KEY ASPECTS

q Access Control Policies: Access control policies define the rules and criteria for granting or
denying access rights based on the authenticated identity, role, or other attributes of the user.
q User Roles and Permissions: User roles and permissions are predefined sets of access rights and
privileges that determine what actions or resources a user can access.
q Access Control Lists (ACLs): ACLs define the authorized actions or operations that can be
performed on resources, such as read, write, execute, or delete.
q Role-Based Access Control (RBAC): Users are assigned to specific roles based on their job
functions, and the permissions associated with those roles determine their access rights.
q Attribute-Based Access Control (ABAC): ABAC is an authorization model that evaluates access
decisions based on multiple attributes of the user, resource, and environment. Attributes can include
user attributes (e.g., department, location), resource attributes (e.g., sensitivity level, classification),
and environmental attributes (e.g., time of day, network location). ABAC provides more fine-grained
access control based on dynamic attributes.
 AUTHORIZATION - KEY ASPECTS

q Least Privilege Principle: The least privilege principle states that users should be granted the
minimum level of access rights necessary to perform their authorized tasks. By adhering to this principle,
organizations reduce the potential for accidental or intentional misuse of privileges and limit the impact
of security breaches.
q Access Review and Auditing: Regular access reviews and audits are conducted to ensure that access
rights and permissions remain appropriate and up to date. This involves reviewing user accounts, roles,
and permissions to identify and address any discrepancies, unauthorized access, or violations of access
control policies.
q Privileged Access Management (PAM): PAM is a security practice that focuses on managing and
controlling privileged accounts with elevated access rights. PAM solutions enforce additional security
measures, such as two-factor authentication, session monitoring, and time-limited access, for privileged
accounts to mitigate the risk of misuse or unauthorized access.
 AUDITING

q Auditing in the context of information security refers to

the systematic examination and evaluation of an
organization's security controls, policies, procedures,
and practices to ensure they are aligned with
established standards, regulations, and best practices.
 AUDITING - KEY ASPECTS

q Objective and Scope: Audits are conducted with specific objectives and scopes in mind. The objectives
may include assessing compliance with regulatory requirements, evaluating adherence to security policies,
identifying security vulnerabilities, or validating the effectiveness of security controls. The scope defines the
boundaries and areas to be audited, such as specific systems, processes, or departments.
q Internal and External Audits: Audits can be conducted by internal or external parties. Internal audits are
performed by individuals within the organization who are independent of the processes or functions being
audited. External audits are conducted by third-party auditors who are not part of the organization. External
audits may be required for compliance purposes or to provide an unbiased assessment of an
organization's security posture.
q Audit Planning: Audit planning involves defining the audit objectives, scoping the audit, and developing
an audit plan. This includes identifying the resources, tools, and methodologies to be used, as well as
establishing a timeline for conducting the audit. The planning phase ensures that the audit is structured
and organized, maximizing its effectiveness and efficiency.
 AUDITING - KEY ASPECTS
q Examination and Assessment: During the audit, the auditor examines the organization's security controls,
processes, and practices. This includes reviewing documentation, conducting interviews, and performing
technical assessments. The auditor assesses the effectiveness of the controls, identifies any gaps or
deficiencies, and compares the findings against established standards or best practices.
q Compliance and Regulatory Audits: Compliance audits focus on verifying adherence to specific
regulations, industry standards, or legal requirements. These audits ensure that the organization meets the
necessary criteria to maintain compliance and minimize legal and financial risks. Examples of compliance
audits include audits for the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance
Portability and Accountability Act (HIPAA), or the European Union's General Data Protection Regulation
(GDPR).
q Reporting and Recommendations: Following the audit, the auditor prepares a detailed report that
summarizes the findings, identifies areas of improvement, and provides recommendations for enhancing
security controls and practices. The report may include a risk assessment, remediation suggestions, and a
prioritized action plan to address the identified vulnerabilities or deficiencies. The report is shared with
management and stakeholders to drive improvements and support decision-making.
 AUDITING - KEY ASPECTS

q Continuous Auditing: Information security auditing

is an ongoing process. Organizations should
regularly perform audits to ensure that security
controls are continuously monitored, evaluated, and
improved. This includes periodic follow-up audits to
assess the effectiveness of remediation efforts and
to verify that recommended actions have been
implemented.
q Audit Trail and Documentation: Auditing relies on
maintaining detailed audit trails and documentation.
This includes recording audit activities, findings,
evidence, and actions taken. An effective audit trail
enables traceability, accountability, and supports the
integrity and reliability of audit results.
THANK YOU
[email protected]