Scribd
Upload
33 views5 pages

Security Control I Notes

The document outlines fundamental concepts of data security, focusing on access control steps including identification, authentication, authorization, and accountability. It details password management practices and various types of security controls such as administrative, technical, and physical controls, along with common access control practices. Additionally, it highlights the top four security controls to implement for effective data protection.

Uploaded by

simonpabalate
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
33 views5 pages

Security Control I Notes

The document outlines fundamental concepts of data security, focusing on access control steps including identification, authentication, authorization, and accountability. It details password management practices and various types of security controls such as administrative, technical, and physical controls, along with common access control practices. Additionally, it highlights the top four security controls to implement for effective data protection.

Uploaded by

simonpabalate
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Fundamental Concepts of Data Security: Security Controls 1 Notes

Access Control Concepts Steps


1. Identification
2. Authentication
3. Authorization
4. Resource
5. Accountability

Access Control Concepts Explained


 Identity
o Set of attributes related to an entity used by computer system
i.e student id
o Represents a person, an organisation, an application, or a
device
o Identification component requirements
 Uniqueness
 Standard naming scheme
 Non-descriptive
 Not to be shared between users
 Identification
o The first step in applying access control
o The assurance that the entity requesting access is accurately
associated with the role defined within the system
o Binds a user to appropriate controls based on the identity
o Common methods: User ID, MAC address, IP address, Personal
Identification Number (PIN), Identification Badges, Email
Address
 Authentication
o The second step in applying access controls
o The process of verifying the identify of a user
o Using information secret to the user only
o Three authentication factors
 Something a person knows (knowledge)
 Something a person has (ownership)
 Something a person is (characteristics)
o Strong authentication
 Combination of at least two factors
 Authorization
o The final step in applying access controls
o Defines what resources a user needs and type of access to
those resources
o Three access control methods
 DAC: Discretionary access control (identity)
 MAC: Mandatory access control (policy)
 RBAC: Role-based access control (role)
 Accountability
o Ensuring that users are accountable for their actions
o Verifying that security policies are enforced
o Used for investigation of security incidents
o Tracked by recording activities of users, system and
applications
o Audit trails, log files, audit tools
 How to manage
 What to record
 How to keep them safe

Password Management
 Password Security
o Password generation: system vs user
o Password strength: length, complexity, dynamic
o Password aging & rotation
o Limit log-on attempts
 Password management
o Password synchronisation
o Self-service password reset
o Assisted password reset

Security Controls
 Safeguards to prevent, detect, correct or minimise security risks
 Set of actions for data security

Types of Security Controls


 Administrative Controls
o Policy and procedures
o Standards
o Guidelines
o Risk management
o Screening of personnel
o Change control procedures
o Personal controls
o Supervisory structure
o Security awareness training
o Testing
 Technical/Logical Controls
o System access
o Network architecture
o Network access
o Encryption and protocols
o Auditing
o Implementing and maintain access control mechanisms
o Password and resource management
 Physical Controls
o Network segregation
o Perimeter security
o Computer controls
o Work area separation
o Data backups
o Cabling
o Control zone

Each of the controls can be further classified


 Deterrent
 Preventative
 Detective
 Corrective
 Recovery
Common Access Control Practices
 Deny access to systems to undefined users or anonymous accounts
 Limit and monitor the usage of administrator and other powerful
accounts
 Suspend or delay access capability after a specific number of
unsuccessful logon attempts
 Remove obsolete user accounts as soon as the user leaves the
company
 Suspend inactive accounts after 30 to 60 days
 Enforce strict access criteria
 Enforce the need to know and least privilege practices
 Disable unneeded system features, services, and ports
 Replace default passwords settings on accounts
 Limit and monitor global access rules
 Remove redundant resource rules from accounts and group
memberships
 Remove redundant user IDs, accounts, and role-based accounts
from resource access list
 Enforce password rotation
 Enforce password requirements (length, contents, lifetime,
distribution, storage, and transmission)
 Audit system and user events and actions, and review reports
periodically
 Protect audit logs

Top four controls


 Application Whitelisting
 Patch applications
 Patch operating systems
 Restrict administrative privileges

You might also like