ITS 4210 - Access Control, Authentication, and PKI

Chapter 15, Access Control Assurance


This lesson discusses conceptual labels and analysis. Objectives important to this lesson:

  1. Information assurance (IA)
  2. IA in controls
  3. Using controls to assure CIA


Chapter 15

This chapter reviews material from previous chapters, repackaging it with new names, but not really introducing anything new.

Information Assurance

The text introduces a new concept on page 339. First, you should know from other courses that Information Systems Security (ISS) is concerned with protecting all of our organization's information. We are also told that Information Assurance (IA) is a subset of ISS. IA is concerned with protecting information that is being processed or being used. Why do we care about that subset? The text makes it a bit clearer by listing the "five pillars of the IA model". You will recognize most of them:

  • Confidentiality - a concern of ISS and IA
  • Integrity - a concern of ISS and IA
  • Availability - a concern of ISS and IA
  • Authentication - a concern of IA
  • Nonrepudiation - a concern of IA

This makes no sense, because we have already been told that IA is part of ISS. There seems to be agreement on lots of web sites, including the Department of Defense, that IA does embrace these five concepts. So, what about the two new ones?

  • Authentication - making sure of a user's identity
  • Nonrepudiation - keeping records of what users do on the system

The two concepts, when taken together, mean that we have confidence about who we have allowed into our system, and we are tracking what they do, so there is no denying (repudiating) their actions. The text continues with a longer discussion on each of the five points.

  • Confidentiality - the text uses the phrase "need to know" as a measure of this concept; we do not allow access to any resource unless there is a reason for that access
  • Integrity - making sure that no one changes data who has not been authorized to do so; this may be done by imposing limits on access, or by limiting the kinds or level of changes a user is allowed to make, such as restricting a user's view to data they actually own
  • Availability - data must be available to authorized users when they need it
  • Authentication - the security needs of the system must be matched by the level of confidence we have in a user's identity, perhaps requiring multi factor and biometric ID in some cases
  • Nonrepudiation - tracking of events and files must prove that a particular user took action, authorized access or payment, or simply was on the system; this can include digital signatures being placed on everything a user processes

The text continues with a discussion of the McCumber cube, which is a confusing construct at best. It throws in the Parkerian hexad, which proves the point that lots of analysts try to make a name for themselves in the security business. Bottom line: protect the data. How you define what you are doing doesn't matter as much as actually doing it.

Controls must be tested and monitored. Testing takes place on the entire environment. We determine whether the controls are serving the big picture goals (business requirements, strategic goals) of the organization. The system is assessed and audited several ways:

  • Self-assessment - usually performed by internal quality assurance and quality control staff
  • Internal Audit - people inside the organization perform the audit and report to a controlling body or committee
  • External Audit - an outside entity performs the audit, concentrating on organizational aspects that require an independent agent's view
  • Regulator Audit - done when aspects of the organization fall under government regulation or legal requirements



  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module