Chapter 1 Introduction 3

Access and Access Control 3

What is Access and Control? 3
What is Identity Management? 3
Principal Components of Access Control 4
Access Control Systems 4
Access Control Subjects 4
3A of Accounting and security 5
Access Control Process 5
Identification 5
Authentication 6
Authorization 6
Logical Access Controls 6
Logical Access Controls for Subjects 6
Authentication Factors 7
Ownership-Based Authentication: 8
Chapter 2 Business Drivers for Access Controls 9
Why do we need Policy for Access Controls? 9
Classification of Information 9
Classification Schemes 9
National Security Classification 10
Corporations 10
Corporations 12
Reasons for Classification 12
Declassification Process and Policy 13
Privacy Controls Catalog 14
Competitive Use of Information 14
Valuation of Information 14
Information as a Competitive Advantage 15
Penalties for Improper Disclosure 15
The Business Drivers for Access Control 15
Cost-Benefit Analysis 15
Advantage Gained 15
Risk Avoided 15
Business Facilitation 16
Access Levels 16
 Restricting Access 16
Cost Containment 16
Operational Efficiency 17
IT Risk Management 18
Full Asset Inventory 18
Vulnerability Assessment 18
Threat Assessment 18
Mitigation Plans 18
Risk-Assessment Policies 18
Controlling Access and Protecting Value 19
Internal vs. External Access Controls 19
Internal Access Controls 19
External Access Controls 19
Access Controls with Respect to : 19
1. Contractors 19
Chapter 3 Human Nature and Organizational Behavior 21
Social Engineering 21
The Unintentional Threat 22
Hackers and Motivation 22
Pre-Employment Background Checks for Sensitive Positions 22
What Information Can Be Considered in an Employment Decision 22
Applicant’s Rights 23
Ongoing Observation of Personnel 23
Identify Potentially Disgruntled Employees 23
The Proper Way to Terminate Access on Termination of Employment 24
Job Rotation and Position Sensitivity 24
Separation of Duties (SoD) and Two-Person Control 26
Two-Person Control: 26
Responsibilities of Access Owners 27
Ethics in IAM 27
Handling Human Nature and Organizational Behavior: 28
Chapter 1 Introduction
ORGANIZATIONS RELY UPON ACCESS CONTROLS to grant and restrict user access
to information, systems, and other resources. Access control systems, when properly designed,
implement business rules and often direct implementations of policy in such a manner that
Individuals have access to the information and resources needed to perform their responsibilities
but no more.

The consequences of weak or nonexistent access controls range from inconvenient to downright
disastrous, depending on the nature of the resources being protected. For the average user, it may
be a personal invasion of privacy to have someone else reading your email. On the other
hand, without strong access controls, companies could lose billions of dollars when disgruntled
employees bring down mission-critical systems. Identity theft is a major concern in modern life
because so much of our private information is stored in accessible databases. The only way that
information can be both useful and safe is through solid access controls.

Access and Access Control

In an ideal world, you wouldn’t need to control access to what’s important to you or of value you
wouldn’t even need to lock your doors. Unfortunately, that’s not reality—at home or in the
business world. In the real world—especially in business—there is a need to protect precious
data, systems, network bandwidth, and other assets from a variety of threats. This chapter will
help you understand how to lock your virtual doors and secure your information assets from
unauthorized access, modification, and disruption.

What is Access and Control?

Fundamentally, access refers to the ability of a subject and an object to interact. That interaction
is the basis of everything we do in the information technology (IT) field and life in general.
Access can be defined in terms of social rules, physical barriers, or informational restrictions.

Access control is the formalization of those rules for allowing or denying access. Access controls
define the allowable interactions between subjects and objects. It is based on the granting of
rights, or privileges, to a subject concerning an object.

What is Identity Management?

Identity management is the process of creating, maintaining, and revoking user accounts and
providing the mechanisms used to authenticate users. Theoretically, identity management allows
you to confirm that a person is who they claim to be (authentication), and access control allows
you to restrict his or her activities to authorized actions (authorization). In practice, the concepts
of identity management and access control are interwoven and are difficult to separate. For this
reason, many people refer to both fields as identity and access management (IAM).
Principal Components of Access Control
There are three principal components of any access control scenario:

● Policies—The rules that govern who gets access to which resources

● Subjects—The user, network, process, or application requesting access to a resource
● Objects—The resource to which the subject desires access (e.g., files, databases, printers,
and physical facilities)

Any time you have to decide whether to allow or deny access by a subject to a resource, you
have entered the access control problem domain.

Access Control Systems

A well-defined access control system consists of three elements:

● Policies—Clear statements of the business requirements regarding access

to resources Procedures—Nontechnical methods, such as business
processes and background checks, used to enforce policies
● Tools—Technical methods, such as file system access controls and network
firewalls, used to enforce policies

Organizations typically use procedures and tools together to enforce policies. For
example, most companies have strict policies to determine who has access to
personnel records. These records contain sensitive and confidential information that
could be used to inflict serious harm on individual employees and the company as a
whole if those records were compromised. The policy may state that only employees
within the human resources department, with a specific need for the information
contained within a given record, may have access to it.

Access Control Subjects

The subject in an access-control scenario is a person or another application
requesting access to a resource such as a network, a file system, or a printer.

There are three types of subjects when it comes to access control for a specific
resource:

● Authorized—Those who have presented authenticated

credentials and have been approved for access to the
resource
● Unauthorized—Those who have presented authenticated
credentials but are not approved for access to the resource
● Unknown—Those who have not presented authenticated credentials
Every individual who initially approaches an access control system is unknown until
he or she attempts to authenticate.

3A of Accounting and security

● Authentication—Ensuring users are who they claim to be
● Authorization—Ensuring that an authenticated user is allowed to perform
the requested action
● Accounting—Maintaining records of the actions performed by authorized
users

Access Control Process

There are three steps to the access control process:

1. Identification—The process by which a subject identifies itself to the access

control system
2. Authentication—Verification of the subject’s identity
3. Authorization—The decision to allow or deny access to an object

Identification
The first step in any access control process is identification. The system must be
able to apply labels to the two parts of the access equation: the subject and the
object.
Authentication
Authentication builds upon identification by requiring that the subject provide proof of
identity. There are many ways to authenticate a subject. The most common ones are:

● Password—A secret word or combination of characters that is known

only to the subject. A good password is difficult to guess but easy for the
subject to remember.
● Token—Something the subject has that no one else does, such as a smart
card or a challenge-response device.
● Fingerprint scan—Optical analysis of a person’s fingerprint compared with
a recorded sample to verify identity.

Most authentication systems require only a single authentication factor, but those
protecting highly sensitive assets might use multiple factors. The three most
common factors are:

● Something you know—Generally a password or shared secret

● Something you have—A token or smart card ID badge
● Something you are—Fingerprints or other biometric factors

Authorization
Once a subject has identified him- or herself and the access control system
authenticates the subject’s identity, the access control system must determine
whether the subject is authorized to access the requested resources. Authorization
is a set of rights defined for a subject and an object. They are based on the subject’s
identity.

Logical Access Controls

Most IT professionals spend their time focusing on logical access controls: the tools
used to provide identification, authentication, and authorization for computer
systems.

Logical Access Controls for Subjects

Logical access controls can be based on one or more criteria, including:

● Who—The identity of the subject, proven by a username and password

combination or other authentication technique
● What—The type of access being requested
● When—The time of day or day of week the request is made
● Where—The physical or logical location of the user placing the request
● How—The context of the access request
You should take each of these criteria into account when designing an
authorization system.

Authentication Factors

As described earlier in the chapter, an authentication factor is a way of

confirming the identity of the subject. The three primary authentication factors are:

● Something you know—Secret knowledge, such as a password

● Something you have—A token or device
● Something you are—Unique physical characteristics of a person, such as
those that can be detected by a retinal or iris scan, fingerprint scan, or voice
analysis.

For access to highly sensitive data, you might combine the first two factors,
requiring a token just to access the login screen, where the user would enter his or
her username and password. The most sensitive data are protected by all three
factors.

Biometric Authentication:

Biometric authentication is a security method that relies on unique physical or

behavioral characteristics of an individual to verify their identity. This
authentication approach is based on the idea that every person possesses
distinctive traits that can be measured and used for identification purposes. Here
are some common biometric authentication methods:

● Fingerprint Recognition: This method involves scanning and analyzing the

unique patterns and ridges of a person's fingerprints. Fingerprint scanners
are commonly found on smartphones and laptops for unlocking and
authentication.
● Iris Recognition: Iris recognition uses the unique patterns in the colored
part of the eye (iris) to verify a person's identity. It is considered highly
accurate and is often used in high-security applications.
● Face Recognition: Face recognition technology analyzes a person's facial
features, such as the distance between eyes, nose shape, and more, to
identify them. Facial recognition is commonly used for unlocking
smartphones and for surveillance purposes.
● Voice Recognition: Voice biometrics analyze the unique characteristics of a
person's voice, such as pitch, tone, and speech patterns, to verify their
identity. It is used in applications like phone-based authentication.
● Retina Recognition: Retina scanning involves capturing an image of the
blood vessel patterns in the back of the eye to verify identity. It is highly
accurate but less commonly used due to the need for specialized
equipment.
Biometric authentication is considered highly secure because it is difficult to forge
or share biometric traits. However, there are privacy concerns associated with the
storage and use of biometric data, as it can be sensitive information if not properly
protected.

Ownership-Based Authentication:
Ownership-based authentication is a security approach that focuses on confirming
an individual's ownership of a specific device or object as a means of
authentication. This method is particularly relevant in the context of Internet of
Things (IoT) devices, which may need to verify that a person has physical
possession of a device before granting access or control.

Here's how ownership-based authentication works:

Device Ownership Confirmation: In this method, the system or service checks

whether the user has physical access to a particular device or object. This can be
done through various means, such as a physical key, NFC (Near Field
Communication) interaction, or Bluetooth pairing.

Token-Based Verification: Ownership-based authentication often relies on tokens

or keys that are associated with a specific device. These tokens can be physical,
like a smart card, or virtual, like a mobile app or digital certificate.

Proximity Authentication: Some ownership-based authentication methods use

proximity as a factor. For example, a mobile device may automatically unlock
when it is in close proximity to a paired wearable device or when it detects the
user's smartphone via Bluetooth.

Secure Element: In some cases, ownership is verified through the presence of a

secure element, which is a tamper-resistant hardware component within a device
that stores cryptographic keys and ensures secure authentication.

Ownership-based authentication adds an extra layer of security by confirming not

only the user's identity but also their possession of a specific device or token. This
can be particularly useful in scenarios where physical access to a device or object
is critical for security, such as unlocking a car, accessing a secure facility, or
controlling IoT devices in a smart home.
Chapter 2 Business Drivers for Access Controls

Why do we need Policy for Access Controls?

Firms seeking to ensure their competitive advantage must control access to information to ensure
their ongoing survival. Protecting confidential information involves more than just technical
controls. Developing and implementing these policies and processes can protect an organization
against security incidents.

firms may use technical measures such as a radio-frequency identification (RFID)-enabled badge
reader, combined with administrative measures, such as training employees to scrutinize the
identity badges of people they don’t recognize. A policy cannot prevent an information leak if
employees regularly hold open the lab doors and allow each other to enter without swiping their
ID badge, a threat known as piggybacking.

Senior Management Role

As with any policy-based initiative, access control policies will be effective only if
they have the explicit and implicit support of senior executives. When organizations
first issue access control policies, they should consider asking a very senior
executive to send the message communicating the policy. This is especially
important if the policy requires employees to engage in unpopular or inconvenient
behaviors. Similarly, senior managers must serve as models of policy adherence.

Classification of Information
Information classification assigns information to different categories based on its
sensitivity. Both nations and many major corporations have sensitive information
that gets classified, limiting its availability both to the organization and to the
outside world.

Classification Schemes
A classification scheme is a method of organizing sensitive information into
various access levels. Only a person with the approved level of access is allowed to
view the information. This access is called clearance. Every organization has its
own method of determining clearance levels. The methods usually include a
background check, interviews, and a determination of the user’s need for the
information. Most nations and many corporations have classification schemes set up
to handle the organization and access of sensitive information.
National Security Classification
The government classifies sensitive information into four main categories based on
the degree of damage that would occur to national security if the information were
disclosed in an unauthorized manner. Individuals cleared for a particular
classification level may access information at that level and below, provided that
they have a specific need to know the particular information in question. The four
classification levels used by the government are:

● Unclassified—Information that has not otherwise been assigned a sensitivity

level under the national security classification scheme. Generally speaking,
unclassified information is subject to public release under the Freedom of
Information Act (FOIA). Under certain circumstances, government agencies
may designate unclassified information as Controlled Unclassified
Information (CUI). CUI information is exempt from disclosure under
FOIA.
● Confidential—Information that, if disclosed, could reasonably be expected
to cause damage to national security.
● Secret—Information that, if disclosed, could reasonably be expected to
cause serious damage to national security.
● Top Secret—Information that, if disclosed, could reasonably be expected to
cause exceptionally Grave Damage to National Security.

Information may change classifications at any time, as circumstances warrant.

Information that may have been deemed confidential in 1992 may be considered
Secret or even Top Secret today.

Likewise, information that was of Top Secret importance in 1939 may no longer be
sensitive enough to be classified at all.

Corporations
The classification schemes used by private organizations vary widely but often share
some elements with the government scheme. One commonly used approach to
corporate classification has the following classification levels:

● Public—Information that the company freely releases to the public. This

category would include information that is published on the organization’s
website or distributed in sales materials.
● Internal—Information that is not normally released to the general public
but may be disclosed without damaging the company. This may include
information about product road maps or pricing that is released to
customers but not widely published.
● Sensitive—Information that, if disclosed, could cause serious damage to
the firm. This may include new product development plans or internal
marketing strategies. Sensitive information is often not released outside the
 company except under the terms of a formal nondisclosure agreement
(NDA).
● Highly sensitive—Information that, if disclosed, would be extremely
damaging to the company. This may include customer Social Security
numbers, credit card numbers, or other very sensitive information. Highly
sensitive information is often encrypted at all times and requires special
permission to access.

NOTE

The RTI Act, or the Right to Information Act, is a legislation enacted by the
Government of India in 2005 to promote transparency and accountability in
government operations. It empowers citizens of India to access information held
by public authorities, making the government more open and accountable to its
citizens. The RTI Act is one of the most important tools for promoting
transparency and fighting corruption in India.

Key features of the Right to Information Act include:

● Right to Information: Under this law, every citizen of India has the right to
request information from public authorities. Public authorities encompass
government departments, ministries, public sector undertakings, and any
organization that is substantially funded by the government.
● Application Process: To request information, a citizen must submit a
written application to the relevant public information officer (PIO) of the
concerned department or agency. The application can be submitted in
English, Hindi, or the official language of the state where the request is
made.
● Timeframe for Response: The RTI Act stipulates that information should
be provided to the applicant within 30 days from the date of the request. In
some cases, this period may be extended to 45 days, with the applicant
being informed about the extension and the reasons for it.
● Exceptions: While the RTI Act promotes transparency, it also recognizes
certain exemptions where information cannot be disclosed. These
exceptions include matters related to national security, personal privacy,
and certain confidential government documents.
● Fee Structure: Public authorities are allowed to charge a nominal fee for
providing information. The fee varies depending on the type of information
and the format in which it is provided. For individuals below the poverty
line, there are fee waivers available.
● Appeals: If an applicant is not satisfied with the response received from the
PIO, they can file an appeal with the relevant appellate authority, typically
within 30 days. Further appeals can be made to the Information
Commission if needed.
 ● Protection for Whistleblowers: The RTI Act includes provisions to protect
whistleblowers who expose corruption or wrongdoing in government
organizations. It aims to shield individuals who use the Act to expose
malpractices from retaliation.
● Transparency and Accountability: The RTI Act has been instrumental in
promoting transparency and accountability in various government
activities, including the allocation of resources, decision-making processes,
and public expenditure.

The Right to Information Act has played a crucial role in empowering citizens and
enabling them to hold the government accountable for its actions. It has been used
to uncover instances of corruption, misuse of public funds, and other irregularities,
leading to increased transparency and improved governance in India. However, the
effective implementation of the Act and the timely provision of information can
vary across different government departments and regions.

Corporations
The classification schemes used by private organizations vary widely but often share
some elements with the government scheme. One commonly used approach to
corporate classification has the following classification levels:

● Public—Information that the company freely releases to the public. This

category would include information that is published on the organization’s
website or distributed in sales materials.
● Internal—Information that is not normally released to the general public
but may be disclosed without damaging the company. This may include
information about product road maps or pricing that is released to
customers but not widely published.
● Sensitive—Information that, if disclosed, could cause serious damage to
the firm. This may include new product development plans or internal
marketing strategies. Sensitive information is often not released outside the
company except under the terms of a formal nondisclosure agreement
(NDA).
● Highly sensitive—Information that, if disclosed, would be extremely
damaging to the company. This may include customer Social Security
numbers, credit card numbers, or other very sensitive information. Highly
sensitive information is often encrypted at all times and requires special
permission to access.

Reasons for Classification

Information is generally classified if disclosure could harm the controlling
organization. Corporations classify information to try to keep a competitive
advantage over other companies. A soup company, for example, may want to keep
its recipes as trade secrets. A company that tests the strength of materials may want
to keep its testing methodology proprietary.
Declassification Process and Policy

Declassification is the process used to move a classified document into the public
domain. Every country and organization that classifies documents has a method of
declassification. Let’s look at the
U.S. model as a baseline.
There are four ways a U.S. government document can become declassified:

Automatic declassification
Automatic declassification happens with any document over 25 years old. Unless
it meets strict criteria, the document is automatically declassified after the
department that owns the document reviews it. It is then moved to the publicly
accessible shelves of the national archives.

Systematic declassification
With systematic declassification, any document that is under 25 years old but of
significant importance to the historic record of the United States is reviewed for
early declassification. Once identified, these documents go through the same
procedures as automatically declassified documents.

Mandatory declassification review

A mandatory declassification review is instigated when an individual
attempts to get a document declassified. After the review request has
been filed, the owning organization must respond with approval, denial,
or the inability to confirm or deny the existence or nonexistence of the
document. If the request is denied, the requester can appeal to the
interagency security classification appeals board.

FOIA request

A FOIA request is an attempt by a member of the general public to get a document

declassified. The act allows for full or partial disclosure of the document; if the
owning organization refuses the request, the decision can be appealed in a judicial
review.
Personally identifiable information (PII)
Information which can be used to distinguish or trace an individual’s
identity, such as their name, social security number, biometric records, etc.
alone, or when combined with other personal or identifying information
which is linked or linkable to a specific individual, such as date and place of
birth, mother’s maiden name, etc.

This is usually sensitive information for a corporation and must be safeguarded. It

is also information that is targeted for theft, as it is the key to identity theft.

Protection of this information is mandated by numerous federal and state laws, and
any security breaches must be disclosed in a timely manner. It is especially tightly
controlled in the healthcare and financial industries.

Privacy Controls Catalog

Authority and Purpose: Does the organization have the authority to collect PII,
and is the purpose for that collection clearly stated?

Accountability, Audit, and Risk Management: Has the organization implemented

privacy governance, detailed privacy requirements, and created the support
structures to ensure that employees are properly implementing the privacy program?

Data Quality and Integrity: Is the organization taking appropriate steps to ensure
the quality and integrity of PII that it collects and maintains?

Data Minimization and Retention: Is the organization retaining only the

minimum amount of information necessary to carry out the stated purpose, and are
data being promptly and properly destroyed when no longer necessary?

Competitive Use of Information

Obtaining information about a competitor or its products can give an organization a
significant competitive advantage, if it is used strategically. For example, if a firm
obtained surreptitious access to a competitor’s customer list, they could use that list
to try to lure away the competitor’s customers. If that list included details about a
customer’s contractual relationship, the competitor could use that information to
craft an irresistible offer that would increase the likelihood of closing the deal.
That’s why it is vital to keep information, like formulas and recipes,
secret—ensuring customers can get the information from only one source.

Valuation of Information
The value of information depends on both its strategic and tactical importance to
the organization and the impact on the organization’s business if that information
were disclosed, changed, or destroyed without permission. Some information, such
as federally protected health information, if improperly disclosed, can cost an
organization millions of dollars in fines, and even lead to prison sentences for those
responsible for the disclosure.

Information as a Competitive Advantage

Information provides almost every organization with its competitive advantage.
From financial firms with proprietary trading strategies to e-commerce behemoths
with confidential models of consumer behavior, information provides the key
ingredient that allows most firms to differentiate themselves from their competitors.
Securing that information is paramount to a company’s success. Loss of that
information can lead to a company’s decrease in market share and reduced profits.

Penalties for Improper Disclosure

Refer the link

The Business Drivers for Access Control

Cost-Benefit Analysis
A cost-benefit analysis is essentially a pro-and-con list that helps businesses make
decisions. To decide whether a given piece of information justifies the effort and
investment of access controls, consider two factors: the advantage gained from
keeping the information secret and the risks avoided by controlling access to the
information.

Advantage Gained
One consideration of access control is that of advantage. Does a company gain an
advantage from securing its information? Could its competitors gain a similar
advantage if they had access to the information? Is the information already secret?

Risk Avoided
Another consideration of access control is risk. As you read earlier in this chapter,
there can be significant penalties for allowing sensitive information to be disclosed,
even if the disclosure is purely accidental. Every organization should know what
information it possesses and how important that information is in terms of access
control. Organizations should also be aware of negative consequences that could
arise if that information is not adequately secured.

The inventory of information assets (also called “intellectual property”) can help you
determine what should be classified and what information is not important or
advantageous enough to warrant access control resources.
The list of threats and vulnerabilities is another guideline you can follow when deciding
what to secure. When taking this approach, you might choose to secure the most
vulnerable assets first.information makes it more crucial to secure information that may
not otherwise be considered a top priority. The fact that it can be used to obtain more
critical information makes it critical itself.

Business Facilitation
Information is the backbone of many business processes. In manufacturing, inventory and
order numbers determine how productive the assembly line must be in any given week. In
the financial industry, constantly changing stock prices dictate buy and sell decisions.
Controlling who has access to this information, and at what level, is critical for facilitating
the day-to-day operations of a business.

Access Levels
In terms of business facilitation, there are essentially three levels of information access: no
access, read access, and read-write access.

Restricting Access
Restricting access to information can be a way to ensure productivity in business
processes. Access restrictions to information can also be a way to ensure that a
consistent message is conveyed throughout the organization. When information has
one author—one individual with read-write access— you can easily verify that the
information is accurate and has not been changed.

Cost Containment
What would it cost a company if a given piece of information were released to the
public? This is the essential question to ask when determining whether to secure
information from a cost-containment perspective. In some cases, there may be
actual monetary fines for releasing information. A more likely scenario is that the
cost to the company would be measured in terms of a competitive advantage or lost
productivity.

The cost containment benefits of access controls must be balanced with the cost of
those restrictions. There are overhead costs involved in any effort to restrict access
to information. It does not make sense to spend large amounts of time and money
developing a customized access control system to protect information with little or
no value.

Operational Efficiency
There is such a thing as too much information, and too much of the wrong
information. The key to operational efficiency is in giving the right people the right
information, at the right time. The following factors are discussed in this section:

• The right information

• The right people

• The right time

The Right Information

If a warehouse manager comes into work on Monday morning and finds the
quarterly financial report on her desk instead of the inventory report, she cannot do
her job. She has to track down the necessary information, costing her valuable
time. The warehouse manager has no immediate need for the financial report
(although if she is vested in the company, she may be interested in the
information), so having access to the report does not increase her efficiency. The
inventory report, on the other hand, is information she has a direct need for. In IT, it
is your job to ensure that the warehouse manager has the inventory report on
Monday morning and has access to the financial report only upon request.

The Right People

If the wrong people have access to information, productivity can come to a halt. If
a customer can change the details of his or her order after it has already been
assembled, there can be a breakdown in processes and efficiencies. The same thing
can happen if too many people are brought into a decision-making process.

The Right Time

Senior management must approve the initiative before it is sent to IT for research
and before the contracts are requested from the legal department. Much time would
be wasted if someone in Sales were to send a memo directly to a manager in Legal
asking for a contract to be drawn up for a new CRM vendor. That work would have
to be redone later because requirements would inevitably change during the
requirements gathering and research phases. In the warehouse example, if the
manger has the quarterly financial report on Monday morning instead of the
inventory report, she loses efficiency because she does not have the right
information at the right time.

IT Risk Management
The risk assessment itself can be considered sensitive information. The risk
assessment report contains a number of pieces of information that could have a
devastating effect in the wrong hands:

Full Asset Inventory

The asset inventory contained within a risk assessment report should contain a list,
along with location information, of every major resource within the IT
infrastructure. However, if an attacker learns that the company’s customer database
is located on Server A5 in the third rack on the northwest wall of Server Room 12,
the task of stealing or disabling that server is a lot easier.

Vulnerability Assessment
For a risk assessment to be useful, it must look at the weaknesses in the
infrastructure. Every system has weaknesses. They are an unavoidable fact of life.
The point of a risk assessment is to look honestly at those weaknesses and
determine how to eliminate them or minimize their impact.

Threat Assessment
A threat assessment is similar to a vulnerability assessment, with one slight
difference. While the vulnerability assessment looks at weaknesses within the
existing infrastructure, the threat assessment deals with the potential for those
weaknesses to be exploited.

Mitigation Plans
A risk assessment usually has a section that details plans to mitigate the
vulnerabilities and risks described in the previous two sections. If an attacker has
those mitigation plans, he knows how much time he has before a given attack is no
longer effective. He can also pick apart those plans, looking for new vulnerabilities
that may be introduced in the course of mitigating older vulnerabilities.

Risk-Assessment Policies
The final section of a risk-assessment report is usually a description of the
company’s policies governing how often a risk assessment should be carried out,
what methods should be used, and who should be involved. It also contains a list
of individuals who will receive a copy of the report.

Controlling Access and Protecting Value

Confidential information is the most common asset that is devalued by a failure in
access control. In this case, information is valuable only if it is hidden. If
confidential information becomes common knowledge, it ceases to hold special
value.

Internal vs. External Access Controls

Internal Access Controls External Access Controls

Some information is confidential internally Trade secrets and business plans are some
and externally. Salary and benefit of the information that should be secured
information is a classic example of from external disclosure. You learned
privileged information that must be earlier in this chapter the consequences of
controlled internally. Certain employees failing to secure that type of confidential
have a right to salary information, while information, but it is crucial enough to
most do not. warrant repeating it. In most cases, the cost
(in time and resources) of implementing
access controls to protect confidential
information is justified by the penalties for
failure to do so.

Access Controls with Respect to :

1. Contractors
When outside contractors are hired to provide products or services to an
organization, they often require information that could be considered confidential.
A good example of this is an external consultant. In many cases, external
consultants are either self-employed or employed by a consulting firm and work on
an hourly basis for the client company. They are generally highly skilled
professionals who are brought in to work on a specific project. When the project is
finished, they move on to the next client company. Some client companies hire
contractors indefinitely, so in day-to- day practice, they are just like regular
employees of the company.

2. Vendors

When a company contracts with a vendor to manage confidential information, the

client company is responsible for ensuring that the vendor has stringent access
controls in place. This is especially true in regulated industries such as health care
and finance.

A good example of this scenario is an insurance company that outsources its claims
management application to a third-party vendor. The vendor runs the application on
its servers, allowing the insurance agents to access it from any browser. This is
convenient for the agents, who can submit a claim report directly from the site of the
incident. It is also convenient for the insurance company because it no longer has to
maintain and update its own servers.

3. Other Third Parties

As business needs evolve, so do the partnerships that meet those needs. In the realm
of access control, the key thing to remember is that the owner of the confidential
information—the client company— is responsible for ensuring that it is handled
securely. If the client company fails to do due diligence and hires a third party
without investigating the third party’s access control policies, the client company
can be held partly responsible for the inevitable disclosure of confidential
information.
Chapter 3 Human Nature and Organizational Behavior
Human nature is the sum of qualities and traits shared by all humans.

Human nature affects how we interpret events, how we react to others, and the choices we
make every day. It is grounded in thousands of years of evolutionary history.

Although human nature is an important element of who we are and what we do, it
does not completely control us. We can choose to act contrary to human nature when
we believe it suits our best interests or to fulfill some deeper need. Generally, human
nature dictates that we should follow societal norms and avoid punishment, yet
some people choose to violate those norms. Some people who make these choices
feel that they have no viable alternatives, while others simply discount the
probability that they will be caught and punished.

The majority of hackers fall into this category. They are highly intelligent and
believe firmly that they are smart enough not to get caught.

Social Engineering

Social engineering is a strategy in which hackers exploit the general human

tendency to trust, cooperate, and offer help, especially to those they consider part of
their organization or peer group.

Social engineering techniques are often used to gain the information required to
conduct identity theft or defeat access control systems.

A typical social engineering strategy involves the following:

1. Assumed identity—The social engineer pretends to be someone who is

considered a “trusted” individual, with a legitimate purpose to ask
questions or request information. Commonly assumed identities are
technical support experts and company executives. Social engineers choose
these identities because the average employee is likely to cooperate with an
expert or an executive without question.
2. Believability—The social engineer is careful to inject as much truth as
possible into his or her story. Social engineers use insider jargon, names of
actual employees the victim is likely to know (but not well), and other
information. They often use a technique called pretexting where the attacker
lies about his or her own identity or intent in order to persuade the victim to
reveal sensitive information.
3. Multiple contacts—The more contact a person has with another individual
or group, the more likely the person is considered “trusted” or a part of the
group. A skilled social engineer makes one or two preliminary calls to the
victim, each time gathering a little more seemingly innocuous information.
 The social engineer weaves this information into his or her story and request
for help, increasing the believability of both.
4. Request for help—Once a social engineer gains the trust of a victim, the
social engineer asks for help. Typically, he or she has a serious problem that
could be easily solved if the social engineer only had a certain piece of
information (that the victim has). Because the victim has already identified
the social engineer as one of “us,” the victim is predisposed to be helpful and
solve the fictitious problem by providing the crucial information.

The Unintentional Threat

Human beings make mistakes. When employees have access to data they don’t
need, the data is at risk of accidental deletion. Another common problem is the
employee who inadvertently shares sensitive data with someone who shouldn’t have
access to it.

Hackers and Motivation

There are two primary elements to every malicious access control story: the attacker
who seeks to break into a computer system and the resource owner who needs to
protect the confidentiality, integrity, and availability of resources against the
attacker.

There are two main keys to status in the hacker subculture:

● Esoteric knowledge of computer systems and networks

● Hacking into desirable targets

Pre-Employment Background Checks for Sensitive Positions

Hiring a new employee is a serious decision for an organization. In addition to
the significant financial investment the organization is about to make, the new
employee may have access to sensitive information during the course of his or
her duties. Organizations need to know if individuals they are about to hire can
be trusted and will not harm the company and its assets.

Employers want some assurances that information provided by applicants is true

and complete, and they want to know if an applicant has a personal history that may
conflict with the goals of the organization.

What Information Can Be Considered in an Employment Decision

A wide variety of information can be obtained through a pre-employment screening,
done either by the hiring company or by a third-party firm. Examples of
pre-employment screening information includes:
 ● Driving records Credit reports
● Criminal records including arrest reports, incarceration records, and court records
Medical records
● Bankruptcies
● Military service records School records
● Worker’s compensation records Character references
● Neighbor interviews
● References from previous employers Drug test results
● Sex offender listings

Applicant’s Rights

If an employer uses information obtained in a credit check to deny employment, the

employer must notify the applicant of the decision and provide the name and phone
number of the reporting agency that performed the background check. Applicants
generally have 10 days to dispute the negative information used to make the
employment decision.

Ongoing Observation of Personnel

After a hiring decision is made, and perhaps an initial probationary period expires, it
may seem unnecessary to continue to observe employees.

However, where ongoing observation is a part of standard procedure, many

organizations are able to prevent incidents of workplace violence, employee
embezzlement, and avoid other forms of risk associated with hiring employees.

Identify Potentially Disgruntled Employees

A disgruntled employee is a person who is angry or dissatisfied, usually with
some aspect of his or her employment. Disgruntled employees often believe they
have been unfairly passed over for recognition or promotion, or that they are
expected to accomplish more than is reasonable.

Some things to watch for when identifying potentially disgruntled employees are:

● Work that is consistently below average—Not bad enough to warrant

termination, but below average. This can indicate a person who does not
care about his or her work.
● A pattern of coming in late and leaving early— This can indicate a person
who simply does not want to be where he or she is.
● The loner—Someone who does not join in normal workplace socialization
may not identify with the organization.
● Displays of passive-aggressive behavior— This can denote someone who
is dissatisfied with his or her situation.
The Proper Way to Terminate Access on Termination of
Employment

When an employee leaves the organization, administrators should undertake a formal

offboarding process that includes the following steps:

● Lock the terminated employee’s workstation and network accounts and back
up data prior to the termination meeting. This will prevent the employee
from causing damage after receiving notice of the termination decision.
● Lock or remove accounts on databases and file servers prior to or during the
termination meeting. Change all passwords, especially those to online
accounts that the terminated employee could access from outside the
organization, prior to the termination meeting.
● Arrange for company property to be returned. This may include a corporate
mobile phone, tablet, keys, a company car, an ID badge, a parking pass, a
laptop computer, client files, and contact lists. A terminated employee
could use these items to gain unauthorized access to facilities or data.
● Consider how the terminated employee will be allowed to retrieve personal
belongings after the termination meeting. After the meeting, the employee
should be considered a potentially
● hostile visitor to the facility and appropriate physical security measures
should be taken. The employee should not be allowed to return to his or her
office or another area of the facility unescorted.
● Consider whether security should be called to escort the terminated
employee out of the building after the termination meeting.
● Change the locks on the terminated employee’s office door and change
keypad codes as needed. Lock or remove the terminated employee’s email
account. If the email account is left active, the employee could use that
account to send seemingly official emails containing sensitive information to
clients or members of the media.
● Change the terminated employee’s voicemail message and forward his or her
office phone to another employee or to a manager. Change the personal
identification number (PIN) on the voicemail system.

Job Rotation and Position Sensitivity

Job rotation is a security practice where employees are periodically moved or rotated through
different roles or positions within an organization. This practice aims to reduce the risk of fraud,
collusion, or misuse of privileges by limiting the amount of time an employee spends in a single
job role with access to sensitive information or critical systems.
Risk Mitigation: Job rotation is implemented to mitigate the risk associated with insider threats.
By periodically changing an employee's responsibilities, it becomes more challenging for them
to accumulate undue influence, gain unauthorized access, or engage in malicious activities.

Cross-Training: Job rotation can enhance the skills and knowledge of employees by exposing
them to different facets of the organization. It can lead to a more versatile and adaptable
workforce.

Compliance Requirements: In some industries, job rotation may be a regulatory requirement.

Compliance standards often mandate that individuals with access to critical systems or sensitive
data should not maintain the same position indefinitely.

Access Control: IAM systems play a crucial role in implementing job rotation. Access
permissions must be adjusted and audited as employees move between roles to ensure that they
have appropriate access based on their new responsibilities.

Position Sensitivity:

Position sensitivity is an attribute assigned to job positions within an organization to determine

the level of access to sensitive information or systems that individuals in those positions should
have. It involves classifying job roles based on the nature and degree of sensitivity associated
with the information or resources they handle.

Access Control: Position sensitivity informs the access control policies and permissions within
an IAM system. Different positions may require varying levels of access to data and systems, and
position sensitivity helps define those access levels.

Data Classification: Organizations often classify their data into categories such as public,
internal, confidential, and highly sensitive. Position sensitivity is aligned with these
classifications, ensuring that employees in sensitive roles have appropriate access to
corresponding data.

Risk Assessment: Position sensitivity is determined through a risk assessment process,

considering factors such as the potential impact of data breaches or unauthorized access in
specific roles. Roles with higher sensitivity are subject to stricter controls.

Regular Review: Position sensitivity should be regularly reviewed and updated to reflect
changes in an organization's structure, technology, or business processes. As roles evolve, so do
their sensitivity levels and associated access requirements.
Training and Awareness: Employees in sensitive positions should receive appropriate training
and awareness programs to understand their responsibilities regarding data protection and
security.

Separation of Duties (SoD) and Two-Person Control

Separation of Duties is a fundamental principle in IAM that involves distributing tasks and
privileges among different individuals or roles to prevent conflicts of interest, fraud, or errors.
The goal is to ensure that no single person or entity has excessive control or authority over a
particular process or system.

Reducing Risk: SoD helps mitigate risks associated with both intentional and unintentional
security breaches. By dividing responsibilities, it becomes more challenging for a single user to
carry out malicious actions or make mistakes that could lead to security incidents.

Access Control: IAM systems are used to enforce SoD by defining and managing user roles and
permissions. Access requests that violate SoD policies can trigger alerts or require additional
approvals.

Regular Review: SoD policies should be regularly reviewed and updated to reflect changes in
an organization's structure, processes, or technology. As roles evolve, SoD requirements may
change as well.

Two-Person Control:

Two-Person Control, also known as dual control or dual authorization, is a security practice that
requires the involvement of at least two authorized individuals to perform certain critical tasks or
access sensitive information. It is often used in high-security environments where the risk of
unauthorized access or misuse is significant.

Enhancing Security: Two-Person Control adds an extra layer of security by ensuring that no
single individual can carry out sensitive actions independently. This can include actions like
authorizing large financial transactions, accessing highly classified data, or making critical
system changes.

Reducing Insider Threats: It helps mitigate insider threats because it requires collusion
between two insiders to compromise security. This reduces the likelihood of a single rogue
employee causing significant harm.

Auditability: The involvement of two individuals creates a built-in audit trail, making it easier
to track and investigate any suspicious or unauthorized activities.

Access Management: In IAM systems, Two-Person Control can be enforced by configuring

policies that mandate multiple approvals or authorizations for specific actions or access requests.
Challenges: While effective for security, Two-Person Control can sometimes slow down critical
processes, so organizations need to balance security requirements with operational efficiency.

Separation of Duties (SoD) and Two-Person Control are essential components of IAM that
enhance security by ensuring that responsibilities are distributed and that critical actions require
the involvement of multiple authorized individuals. These practices help organizations protect
sensitive data, reduce the risk of fraud, and meet regulatory compliance requirements.

Responsibilities of Access Owners

Ultimately, it is the responsibility of the owner of sensitive systems, data, and other
resources to monitor their use and prevent abuses. A data owner should be
responsible for:

● Disclosing to users any relevant legal, regulatory, or ethical issues

surrounding the use or disclosure of the information
● Implementing a data classification system and rating the data according to
its sensitivity, confidentiality, inherent value, and other factors Maintaining
a list of authorized users Implementing procedures to safeguard information
from unauthorized use, disclosure, alteration, or accidental or intentional
destruction Developing a policy governing data retention and disposition
● Providing users with adequate training in the use and protection of the
information

Owners of other sensitive resources should have similar responsibilities to classify

their resources and safeguard them from unauthorized use or destruction.

Ethics in IAM
Ethics in IAM involves adhering to principles and values that promote fairness, transparency,
and respect for individuals' rights while managing access to information and systems. Here are
some best practices for handling ethics in IAM:

Transparency: Clearly communicate the IAM policies, procedures, and access controls to all
employees. Make sure everyone understands how access decisions are made and the
consequences of unauthorized access.

Privacy: Respect individuals' privacy rights by collecting and storing only the necessary
personal information for IAM purposes. Implement data protection measures and comply with
relevant data privacy regulations (e.g., GDPR, CCPA).

Consent: Obtain informed consent from individuals when collecting and using their personal
information for IAM purposes. Allow individuals to control their data and opt-out when possible.
Non-Discrimination: Ensure that IAM policies and practices do not discriminate against
individuals based on factors like race, gender, religion, or disability. Access decisions should be
solely based on job roles and responsibilities.

Audit Trails: Maintain detailed audit logs of access-related activities. These logs should be
protected and regularly reviewed to detect any unethical behavior or policy violations.

Handling Human Nature and Organizational Behavior:

Understanding human nature and organizational behavior is essential for effective IAM. Here are
some best practices for handling these aspects:

Training and Awareness: Provide training and awareness programs to employees to educate
them about the importance of IAM and ethical behavior in access management.

Social Engineering Awareness: Train employees to recognize and resist social engineering
attacks, which often exploit human psychology to gain unauthorized access.

Clear Policies and Guidelines: Establish clear IAM policies and guidelines that align with
organizational values. Ensure that these policies are accessible and well-communicated to all
employees.

Role-Based Access Control (RBAC): Implement RBAC to align access privileges with job
roles. This helps reduce the temptation for individuals to abuse their access rights.

Whistleblower Programs: Create mechanisms for employees to report unethical or suspicious

behavior related to IAM without fear of retaliation.

Behavioral Analytics: Use behavioral analytics tools to detect unusual access patterns that may
indicate insider threats or policy violations.

Organizational Culture: Foster a culture of ethics and security within the organization.
Leadership should set a positive example, and ethical behavior should be recognized and
rewarded.

Incident Response: Have a well-defined incident response plan in place to address any breaches
or policy violations promptly and ethically.

Continuous Monitoring: Continuously monitor access activities and regularly review and update
IAM policies and practices to adapt to changes in organizational behavior and technology.