ITS 4210 - Access Control, Authentication, and PKI

Chapter 4, Access Control Laws, Policies, and Standards


This lesson concerns chapter 4. Objectives important to this lesson:

  1. US laws and regulations concerning IT
  2. Access control security policy best practices
  3. Access control as part of IT security
  4. Examples of policies, standards, procedures, and guidelines


Chapter 4

This chapter is concerned with US laws and regulations, many of which were enacted in response to specific security problems. The text cautions us to keep up with relevant laws and to stay compliant with them. This chapter goes into more detail about these laws than any other we have used in the past, so let's take a look at them.
US Laws
  • Gramm-Leach-Bliley Act (GLBA, 1999) - also called the Financial Services Modernization Act; deregulated banks and financial services, allowing each institution to offer banking, investments, and insurance services.

    It Included three rules that affect privacy.
    • The Financial Privacy Rule allows people to opt out of having their data shared with partner companies, but it is usually implemented so that it is easier to allow the sharing.
    • The Safeguards Rule requires that companies have data security plans.
    • The Pretexting Rule tells institutions to implement procedures to keep from releasing information to people who are trying to gain information under false pretenses (pretexting). (They had to be told to do that?)

    The text observes that GLBA-based access controls should specify what a person may access, and how long that permission should be granted. One way to do this would be to set up a new login ID for the person, and to set an expiration date for it. Tracking the access to the sensitive data would be easier this way because it would be linked to the actions of that ID.

  • Health Insurance Portability and Accountability Act (HIPAA, 1996) - Establishes a large, complicated rule set for storing health information in a common format, making it sharable, and making it a crime to share it with people who should not have it. It prohibits disclosure of protected health data, with penalties up to $250,000 and 10 years in prison for trying to sell it; penalties for an accidental disclosure can be as low as $100, so the intent of the person responsible makes a difference. The text discusses several rules that are part of this act.
    • Privacy Rule (2003) - The basic rule is to protect the privaacy of information about a patient's status, health care, and payments. The aggregate of this information is called Patient Health Information (PHI). Organizations are limited to disclosing the minimum information needed to facilitate treatment or payment, to disclose information required by law, and to disclose other information only to the patient and to others whom the patient has given us permission to provide information.
    • Transactions and Codes Set Rule - This rule establishes a common data set, a configuration of health data, to be used when transferring data from one health provider to another, or to entities concerned with billing.
    • Unique Identifier Standards Rule - This sets rules to identify each of four entities: employers, health providers, health plans, and individual patients.
    • Security Rule - Established particular safeguards thatt providers must use to protect PHI. Note the requirements on pages 67 and 68. Some of the highlights would include establishing written procedures, designating a privacy officer, identifying groups or staff who have access to PHI, and establishing processes to grant, modify, and remove access rights.
      The rule specifies a list of technical and physical controls, also listed on page 68.
    • Enforcement Rule - The enforcement rule establishes ruless for investigations and penalties for noncompliance. Note that penalties vary based on the number of times a violation occurs, the number of people affected by each violation, and the duration of the violation.

  • Sarbanes-Oxley Act  (Sarbox or SOX, 2002) - A reaction to corporate fraud and corruption, it provided penalties up to $5,000,000 and 20 years in prison for officers who file false corporate reports. It also established rules about proper performance by those in fiscally responsible roles (they deal with money). Note the eleven parts of the rule listed on page 70.

  • Family Educational Rights and Privacy Act (FERPA, 1974) - Protects the information of educational records, the rights of students to keep their records private, and the rights of students to access information about themselves. There is no requirement to preserve privacy about directory information, unless a student specifically requests that it be made private. Directory information includes name, address, phone number, email address, dates attended, and degrees earned.

  • Communications Assistance for Law Enforcement Act (CALEA) - Requires the communications industry to provide support for properly ordered wiretaps and surveillance by law enforcement officers. It includes access to electronic communications, such as Voice over IP and Internet traffic.

  • Children's Internet Protection Act (CIPA, 2000) - Requires that schools and libraries add controls to their systems to protect/prevent minors from accessing obscene or harmful content. It also requires that the systems be protected from viruses and other inbound attacks.

The last few pages in this section get into less significant laws. Let's move on to the next topic.

Access Control Best Practices

The text begins with proposals for enterprise (large) organizations:

  • Define an authorization policy - Under what circumstances are access rights assigned? Who makes the requests, and who approves or denies them? How are rights audited and removed?
  • Access control for facilities - What physical security controls will be used for our data centers? How will we monitor those controls? As discussed elsewhere, decisions must be made about controlled access, guards, locks, single factor or multifactor security, and more.
  • Social Engineering - It is more likely that a social engineer will succeed in an enterprise environment than in a small business. Why? Because everyone does not know everyone else in an enterprise environment. There are frequently new people, contractors, temporaries, and guests, and any of them might be standing by the door, smiling sadly, in need of our help. The social engineer is like Blanche DuBois in A Streetcar Named Desire, who always depended on the kindness of strangers. Yes, if I saw Blanche standing there, I would let her through the door, too. But I would watch where she went and what she did. We all need to learn to be responsible for our choices and our actions.

  •  Access control for systems and applications - Systems in any facility, data centers included, need their own security and access controls. So should applications that hold sensitive data. Some applications need access to system resources that an attacker may use. As usual, assign the lowest set of privileges that will allow people to do their jobs. This goes for every item in the list.
  • Access control for data - What must be encrypted? It is common these days to require that any data in transit, whether across a wire or on a portable device, be encrypted. This is a standard that can be enacted easily in enterprise editions of Windows.
  • Access control for remote access - Mobility is a time saver and a productivity increaser, when security controls are in place. It is an open door to attackers when there is no encryption, no VPN, no encrypted channel on a public wireless access point.

The text explains that the recommendations for government installations are not really different, just stricter because of federal, state, and municipal laws requiring adherence to best practices. The text continues on the same theme for several pages, quoting more standards that mean the same thing: identify, protect, and preserve. Do the right thing. There is no IT category that requires no security at all.

On page 83, we are given a set of four terms that explain the key parts of a security framework. These terms are defined differently by different authors, and used differently from business to business. You need to know the equivalent of each term in the environment where you work, especially if you are responsible for creating something at any of these levels.

  • Policy - specific requirements or rules for a set of resources in an organization
  • Standard - a set of rules to be followed for the operation of a specific task or system
  • Guideline - suggestions and proposed best practices to be used in meeting a standard or policy
  • Procedure - specific steps to be followed for a specific task that will lead to an acceptable result, in compliance with the items above

Guidelines are options, but the other three components go from general rules at the top to specific operational steps that must be followed at the bottom of the list.

Assignments for Chapter 4

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module.