ITS 4210 - Access Control, Authentication, and PKI
Chapter 4, Access Control Laws, Policies, and Standards
This lesson concerns chapter 4.
Objectives important to this lesson:
US laws and regulations concerning IT
Access control security policy best practices
Access control as part of IT security
Examples of policies, standards, procedures, and guidelines
This chapter is concerned with US laws and regulations, many
of which were enacted in response to specific security problems. The
text cautions us to keep up with relevant laws and to stay compliant
with them. This chapter goes into more detail about these laws than any
other we have used in the past, so let's take a look at them.
(GLBA, 1999) - also called the
Financial Services Modernization Act; deregulated banks and financial
services, allowing each institution to offer banking, investments, and
It Included three rules that affect privacy.
Privacy Rule allows people to opt out of having their data
shared with partner companies, but it is usually implemented so that it
is easier to allow the sharing.
The Safeguards Rule
requires that companies have data security plans.
The Pretexting Rule
tells institutions to implement procedures to keep from releasing
information to people who are trying to gain information under false
pretenses (pretexting). (They
had to be told to do that?)
The text observes that GLBA-based access controls should specify what a
person may access, and how long that permission should be granted. One
way to do this would be to set up a new login ID for the person, and to
set an expiration date for it. Tracking the access to the sensitive
data would be easier this way because it would be linked to the actions
of that ID.
Portability and Accountability Act (HIPAA, 1996) - Establishes
a large, complicated rule set for storing health information in a
common format, making it sharable, and making it a crime to share it
with people who should not have it. It prohibits disclosure of
protected health data, with penalties up to $250,000 and 10 years in
prison for trying to sell it; penalties for an accidental disclosure
can be as low as $100, so the intent of the person responsible makes a
difference. The text discusses several rules that are part of this act.
Privacy Rule (2003)
- The basic rule is to protect the privaacy of information about a
patient's status, health care, and payments. The aggregate of this
information is called Patient Health
Organizations are limited to disclosing the minimum information needed
to facilitate treatment or payment, to disclose information required by
law, and to disclose other information only to the patient and to
others whom the patient has given us permission to provide information.
Codes Set Rule - This rule establishes a common data set, a
configuration of health data, to be used when transferring data from
one health provider to another, or to entities concerned with billing.
- Established particular safeguards thatt providers must use to protect
PHI. Note the requirements on pages 67 and 68. Some of the highlights
would include establishing written procedures, designating a privacy
officer, identifying groups or staff who have access to PHI, and
establishing processes to grant, modify, and remove access rights.
The rule specifies a list of technical and physical controls, also
listed on page 68.
- The enforcement rule establishes ruless for investigations and
penalties for noncompliance. Note that penalties vary based on the
number of times a violation occurs, the number of people affected by
each violation, and the duration of the violation.
(Sarbox or SOX, 2002) - A reaction to corporate fraud and corruption, it provided penalties up to $5,000,000 and 20
years in prison for officers who file false corporate reports. It also
established rules about proper performance by those in fiscally
responsible roles (they deal with money).
Note the eleven parts of the rule listed on page 70.
Rights and Privacy Act (FERPA,
1974) - Protects the information of educational records, the rights of
students to keep their records private, and the rights of students to
access information about themselves. There is no requirement to
preserve privacy about directory
information, unless a student specifically requests that it be
made private. Directory information includes name, address, phone
number, email address, dates attended, and degrees earned.
Assistance for Law Enforcement Act (CALEA) - Requires the communications
industry to provide support for properly ordered wiretaps and
surveillance by law enforcement officers. It includes access to
electronic communications, such as Voice over IP and Internet traffic.
Protection Act (CIPA,
2000) - Requires that schools and libraries add controls to their
systems to protect/prevent minors from accessing obscene or harmful
content. It also requires that the systems be protected from viruses
and other inbound attacks.
The last few pages in this section get into less significant
laws. Let's move on to the next topic.
Access Control Best Practices
The text begins with proposals for enterprise (large)
Define an authorization policy - Under what
circumstances are access rights assigned? Who makes the requests, and
who approves or denies them? How are rights audited and removed?
Access control for facilities - What physical
security controls will be used for our data centers? How will we
monitor those controls? As discussed elsewhere, decisions must be made
about controlled access, guards, locks, single factor or multifactor
security, and more.
Social Engineering - It is more likely that a
social engineer will succeed in an enterprise environment than
in a small business. Why? Because everyone does not
know everyone else in an enterprise environment. There are frequently
new people, contractors, temporaries, and guests, and any of them might
be standing by the door, smiling sadly, in need of our help. The social
engineer is like Blanche DuBois in A Streetcar Named Desire,
who always depended on the kindness of strangers. Yes, if I saw Blanche
standing there, I would let her through the door, too. But I would watch
where she went and what she did. We all need to learn to be responsible
for our choices and our actions.
Access control for systems and applications
- Systems in any facility, data centers included, need their own
security and access controls. So should applications that hold
sensitive data. Some applications need access to system resources that
an attacker may use. As usual, assign the lowest set of privileges that
will allow people to do their jobs. This goes for every item in the
Access control for data - What must be encrypted?
It is common these days to require that any data in transit, whether
across a wire or on a portable device, be encrypted. This is a standard
that can be enacted easily in enterprise editions of Windows.
Access control for remote access - Mobility is a
time saver and a productivity increaser, when security controls are in
place. It is an open door to attackers when there is no encryption, no
VPN, no encrypted channel on a public wireless access point.
The text explains that the recommendations for government
installations are not really different, just stricter because
of federal, state, and municipal laws requiring adherence
to best practices. The text continues on the same theme for several
pages, quoting more standards that mean the same thing: identify,
protect, and preserve. Do the right thing. There is no IT category that
requires no security at all.
On page 83, we are given a set of four terms that explain
the key parts of a security framework. These terms are defined
differently by different authors, and used differently from business to
business. You need to know the equivalent of each term in the
environment where you work, especially if you are responsible for
creating something at any of these levels.
Policy - specific requirements or rules
for a set of resources in an organization
Standard - a set of rules to be followed
for the operation of a specific task or system
Guideline - suggestions and proposed best
practices to be used in meeting a standard or policy
Procedure - specific steps to be followed
for a specific task that will lead to an acceptable result,
in compliance with the items above
Guidelines are options, but the other three components go
from general rules at the top to specific operational steps that must
be followed at the bottom of the list.
Assignments for Chapter 4
Continue the reading assignments for the course.
Complete the assignments and class discussion made
in this module.