...to Information Security Unit 3 Discussion 1 1. For this company I would say that the 12 computers that they have should have passwords on all the computers. The reason why I say this is because they only people who should have access to these computers are they people who have the password or know the password. That is why this is the best protection for this construction company. This construction company will have a role-based access controls. This means with the uses that they have on site will have special groups based on the access they require for the company. 2. For this company since they all contact one another with smart phones and have 12 computers each and every one of these users should have an identification number as in a pin for each and every one of them that way they can all be able to be identified. On this company they are required to have a rule-based access controls. The reason why I require this for this company is cause each user is going to have access to a phone and computer which requires each and every one of them to have a pin in order for them to access their devices. That is why this access control is so important on these devices cause if they don’t know there pin then they will not be able to gain access. 3. For this company I would recommend that they use fingerprint technology for all these servers and employes. The reason why I say this is because for one thing there is too many employees to keep track of. So if each and every...
Words: 624 - Pages: 3
...Discretionary Access Control – For Shovels and Shingles I would use Discretionary Access Controls. This way certain user groups have certain access. Considering there is only 12 clients I would assume the employee base and small and only 2-3 groups would be required with different access levels. 2. Rule Based Access Control – Due to the small client base and the fact most users would most likely be sharing information in a small advertising company I would go with Rule Based. This way there is certain files that everyone can access and ones that can’t be accessed. It allows for a personal data structure while allowing some files to be shared freely. 3. Non-Discretionary Access Control – Due the company being larger and associated with IT, I would go with the non-discretionary controls. This way the employees will only have access to what is dictated to them by the administrators. This is especially recommended because there are employees traveling and using the network from the outside. All control for the network should be done administratively. 4. Role-Based Access Controls – For Backordered Parts defense contractor I would recommend Role-Based access controls. As there are many facets to a design and building company there will be many access levels and areas that should only be accessed by certain personnel. Using this role-based control will allow for all users to only see what they need to see, and not see what they don’t need to see as pertaining to their role in the...
Words: 321 - Pages: 2
...Discuss Role Based Access Control in adequate detail. In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). Design: Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department. Three primary rules are defined for RBAC: 1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules...
Words: 422 - Pages: 2
...enterprise business. However, an unfortunate reality exists because Riordan’s existing security policies are either nonexistent or inadequate at best for an organization of this size. Consequently, Riordan should seriously consider implementing better security throughout the entire enterprise by defining and creating a Separation of Duties (SoD). In fact, many organizations including the Department of Defense use SoD to decrease security vulnerabilities and discourage collusion by employees for a number of reasons (Gligor, 1998). Therefore, Smith Systems Consulting provides the recommendations and reasoning herein to encourage Riordan to adopt the concepts of Role-Based Access Control (RBAC) to create a SoD throughout the enterprise to reduce risk exposure and enhance Riordan’s enterprise security. Role-Based Access Control Since 2010, research by the National Institute of Standards (NIST) provides indisputable evidence that RBAC has become an increasingly common choice of enterprises with 500 or more employees (National Institute of Standards and Technology, n.d.). As a result, even though Riordan’s users do not total 500 at this time, Smith Systems Consulting recognizes Riordan’s rapid growth justifies changes before attempts to establish adequate enterprise security becomes an overwhelming task. However, before initiating changes to enterprise security policies Riordan’s management and information technology (IT) staff...
Words: 1129 - Pages: 5
...Discussion 1: Access Control Models Scenario 1: (DAC) Discretionary Access Control. Being that the business is small and not in need of higher security measures, it would be the easiest to maintain and monitor for a small business. Scenario 2: (MAC) Mandatory Access Control. The employees primarily communicate using smartphones; which proves as a possible security risk. MAC is stronger than DAC but, still easily monitored for a small business; which makes this the top choice for Top Ads. Scenario 3: (RBAC) Role Based Access Control. With the company being as large as it is and the employees traveling and/or working from home, the roles set by a Security Administrator would be the most secure and efficient way of providing different levels of clearance to individual users. It would take time to start from nothing but, once the security measures are in place it would be easy to monitor and to manage. Scenario 4: Content-Dependent Access Control. Since everything that the company does depends on the individual material being manufactured the above Access Control type should be apparent. Giving permissions by what is contained in each individual file is more costly but, a lot more secure. It also allows the company to monitor the data sent less as each document is given its own set of roles. Scenario 5: (RBAC) Role Based Access Control. With RBAC in place the security measures would be assigned to each user and monitored by the security administrator(s). Using this Access control method...
Words: 295 - Pages: 2
...organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members of staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department. Three primary rules are defined for RBAC: 1.Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role. 2.Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. 3.Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles. With the concepts of role hierarchy and constraints, one can control RBAC to create or simulate lattice-based access control...
Words: 453 - Pages: 2
...someone else. Risk transference 5. _____ combines attempts to minimize the probability and impact of risk. Risk mitigation 6. The three main threat categories are information confidentiality, _____, and availability. Integrity 7. Even non-sensitive data should be kept under some level of access control. True 8. Any system or data resource that, if it were lost, stolen, damaged, altered, or publicly divulged, would cause a significant negative impact to the organization should be considered _____. Sensitive 9. Which of the following is an access control system in which rights are assigned by the owner of the resource? Discretionary access control 10. Which of the following is an access control system in which rights are assigned based on a user's role rather than his or her identity? Role-based access control 11. Which of the following is an access control system in which rights are assigned by a central authority? Mandatory access control 12. The principle of separation of responsibility requires a minimum of how many conditions to be met before access is granted? 2 13. Least user access implements what access control requirement? Users should commonly log into workstations under limited user accounts, unless they are performing administrative functions. 14. The three basic levels of need for information are existence of information, view partial information, and _____. View full...
Words: 282 - Pages: 2
...Scenario 1: (DAC) Discretionary Access Control. Being that the business is small and not in need of higher security measures, it would be the easiest to maintain and monitor for a small business. Scenario 2: (MAC) Mandatory Access Control. The employees primarily communicate using smartphones; which proves as a possible security risk. MAC is stronger than DAC but, still easily monitored for a small business; which makes this the top choice for Top Ads. Scenario 3: (RBAC) Role Based Access Control. With the company being as large as it is and the employees traveling and/or working from home, the roles set by a Security Administrator would be the most secure and efficient way of providing different levels of clearance to individual users. It would take time to start from nothing but, once the security measures are in place it would be easy to monitor and to manage. Scenario 4: Content-Dependent Access Control. Since everything that the company does depends on the individual material being manufactured the above Access Control type should be apparent. Giving permissions by what is contained in each individual file is more costly but, a lot more secure. It also allows the company to monitor the data sent less as each document is given its own set of roles. Scenario 5: (RBAC) Role Based Access Control. With RBAC in place the security measures would be assigned to each user and monitored by the security administrator(s). Using this Access control method would allow for high-grade...
Words: 288 - Pages: 2
...classification, encryption, security, protocols, and the use of mobile devices. The implementation of access controls in your WLAN will assist in making your environment a little more secure than without. Utilization of the Acceptable Use Policy (AUP), will instruct staff members and students on how to utilize WLAN correctly by law, policies, and standards. Any individual that is not compliant will be subject to disciplinary measures by the school district. Staff members will use access control Role Base Access Control (RBAC), using this control will assign user rights based on the user’s job specification within the school. As for the student body, students will be issued temporary usernames and passwords that will be issued quarterly. Students will have minimum accessibility to files, folders, and services. All accounts are subject to being audited at any given moment notice. There will always be risk involved with any network. Deploying WLAN in a school environment will be a concern with security always. The protection of data will be vital to the security of the WLAN structure. The school must adhere to any and all laws (state and federal), regulations and policies to avoid all fines, loss of data and potential of being shut down. The infrastructure must contain dual firewalls, ACLs and encryption to provide that extra security to ensure data safety. Remote access and VPN access will only be granted by the CIO to...
Words: 499 - Pages: 2
...at different times. The hashes are compared to each other to verify that integrity has been maintained. IPSec 1) Set of protocols developed to support the secure exchange of packets IPv4 and IPv6 2) Operates at a low level in the OSI model (Layer 3) 3) Transparent security protocol for applications, users, and software OSI Model 7.Application 6.Presentation 5.Session 4.Transport 3.Network 2.Data 1.Physical OSI Model Layer 3-Network Handles the logical addressing and routing of traffic. First layer implemented within the software being used, specifically the OS. white-hat hacker security experts paid to find security holes in a system Black-hat hacker takes advantage of security vulnerabilities to gain unlawful access to private networks for personal gain Gray Hat Hackers Hackers in this class are “rehabilitated” hackers or those who once were on the “dark side" but are now reformed. For obvious reasons, not all people will trust a gray-hathacker. Ex: Kevin Mitnick Script kiddie An amateur hacker you lacks sophisticated computer skills. These are usually teenagers that don't use programs to hack into computer systems, instead use tools made by skilled hackers that makes them wreak the same havoc as professional hackers ethical hacking – Move security forward, find flaws with the intent of fixing – Use skills for defensive, preventive purposes – Promote proactive security: test before incidents happen - instead of fixing stuff afterwards...
Words: 1515 - Pages: 7
...detail what is involved with “Access Controls”. Access Controls are methods used to restrict and allow access to certain things such as: cars, homes, computers, and cell phones. In many of our everyday items that we access, there are security features that we sometimes need to program ourselves, or are already programmed from the factory. It is a sequence that we have become familiar with since some of these items are considered valuable. Thus, security measures are needed in order to help protect them from malicious thievery or harmful conduct. Growing up, I learned at a very young age that I should always lock up my bicycle when I would go to the store or at a friend’s house. I learned this the hard way as I had my bicycle stolen while I went to the store to get a loaf of bread and left the bicycle unchained and unlocked outside. When I left the store, I found my bicycle gone. So when I saved up enough allowance to get a lock and chain, I never had my bicycle stolen again. The book goes into much formal detail about Access Control and specifies formal models which relate to the computer world more directly. Discretionary Access Control (DAC), Mandatory Access Control (MAC), Non-discretionary access control, and Rule-based access control are basic rules or guidelines to follow when discussing the formal models of Access Control. Permission levels such as User-based, Job-based or Rule-based Access Control (RBAC), Project-based, and Task-based are explained to indicate a person’s...
Words: 304 - Pages: 2
...evaluated and are considered part of the enterprise security policy. The review of the current information technology security policy was conducted based on the idea of improvement with respect to current technology trends and best practices. An evaluation of the enterprise infrastructure as a whole, as it pertains to information technology security, was also conducted. These evaluations were the starting point for Smith Systems Consulting to design a security strategy to best fit Riordan Manufacturing. The existing security policy consists of location-based data access to on-site servers and on-site access to Unix servers for ERP and MRP systems. Also, it was evident that there are a number of servers and data to be accessed from different operating systems that are deployed throughout the locations. The management of the existing security strategy is one that requires each individual to be assigned access permissions manually throughout their term of employment. This strategy is commonplace in the industry, but requires the IT staff to manage each user individually. Therefore, our results of the evaluation were positive with respect to overall security, but management of the user access is costly and time consuming. With these results in mind, we propose a security policy base on Role Based Access Controls (RBAC). Role Based Access Controls allows companies to...
Words: 304 - Pages: 2
...that have internet access. Discretionary Access Controls should be used in this scenario because the company is small and not in need of high security environment. This solution is the simplest to maintain and monitor for a small business. 2. Top Ads is a small advertising company consisting of 12 computers that have internet access. All employees communicate using smart phones. Mandatory Access Controls should be used in this scenario because the employees primarily communicate using smart phones, which opens up a security risk. Mandatory Access Controls are a step up stronger than Discretionary Access Controls, but are still relatively simple to monitor for a small business. 3. NetSecIT is a multinational IT services company consisting of 120,000 computers that have internet access and 45,000 servers. All employees communicate using smart phones and e-mail. Many employees work from home and travel extensively. Role Based Access Control should be used in this scenario because this is a large company with employees who travel and work from home. The roles should be controlled by a Security Administrator who could provide different levels of security to individual users. There would be some overhead in startup to get up and running but once in place this should be easy to manage. 4. Backordered Parts is a defense contractor that builds communication parts for the military. All employees communicate using smart phones and e-mail. Content-Dependent Access Controls should be used...
Words: 407 - Pages: 2
...Raymond Tello NT2580 4/2/2013 Access Control Models 1. Shovels and Shingles is a small construction company consisting of 12 computers that have internet access. They would need Rule-based access control so they can only go on what they are allowed to access. 2. Top Ads is a small advertising company consisting of 12 computers that have internet access. All employees communicate using smartphones. They would need access to Rule-based control and content-dependent access controls for the fact they access what they are allowed to access and what content they can access. 3. NetSecIT is a multinational IT services company consisting of 120,000 computers that have internet access and 45,000 servers. All employees communicate using smartphones and email. Many employees work from home and travel extensively. They will need access to Discretionary, mandatory, role-based, rule-based, content-dependent, and nondiscretionary access controls, they are a large company and will need someone to be in charge of each control because not everyone have the same access. 4. Backordered parts are a defense contractor that builds communications parts for the military. All employees communicate using smartphones and email. They would need Discretionary, content-dependent and rule-based access control, they have a group of people who contain sensitive data that need to be controlled. They communication parts need to be safe. 5. Confidential Services Inc is...
Words: 299 - Pages: 2
...Unit 3 Access Control Models 1. Shovels and Shingles is small construction company consisting of 12 computers that have internet access. I would implement rule-based access control because everyone will have access to the information on the PC and the owner of the company can assign the role to each employee. It would restrict access to everyone who log in and attempts to perform a job. 2. Top Ads is a small advertising company consisting of 12 computers that have internet access. All employees are communicating using smart phones. I would implement Role based access control because permission to enter a system is kept by the owner, it cannot be given to anyone else. 3. NetSecIT is a multinational IT service company consisting of 120,000 computers that have internet access and 45,000 servers. All employees communicate using smartphones and e-mail. Many employees work from home and travel extensively. I would implement nondiscretionary access control because there are many people logging in from different location it is important to be able to closely monitor the activities being performed on the internet and e-mails so it is important the main system administrator be able to grant and be able to tightly control access to all resources. 4. Backordered Parts is a defense contractor that builds communications parts for the military. All employees communicate using smart phones and e-mail. I would implement Rule-based access control because there needs to be...
Words: 389 - Pages: 2
