Access controls can be applied in various forms, levels of restriction, and at d
ID: 3912980 • Letter: A
Question
Access controls can be applied in various forms, levels of restriction, and at different places within a computing system. A combination of access controls can provide a system with layered defense-in-depth protection.
Instructions:
For the scenarios that follow, identify the data that would need to be protected. Recommend how you would implement one of the access controls (listed after the scenarios) for the given scenario and justify your recommendation.
Scenarios:
Built to Last is a small construction company consisting of 1 multi-purpose server and 25 networked workstations. All employees have Internet access and use email. A few employees use tablet PCs in the field.
GovPartsTrains is a mid-size defense contractor that builds communications parts for the military. The company has 15 servers and 250 workstations. All employees must have security clearances, and they communicate mainly using BlackBerry devices and email.
Geeks-R-Us is a multinational IT services company consisting of 120,000 computers that have Internet access and 45,000 servers. All employees communicate using smartphones, tablet PCs, laptops, and email. Many employees work from home and travel extensively.
Access Controls
Administrative controls: Policies approved by management and passed down to staff, such as policies on password length.
Logical/technical controls: Control access to a computer system or network, such as a username and password combination
Hardware controls: Equipment that checks and validates IDs, such as a smart card for or security token for multifactor authentication.
Software controls: Controls embedded in operating system and application software, such as NTFS permissions.
Physical controls: Control entry into buildings, parking lots, and protected areas, such as a lock on an office door.
Explanation / Answer
Scenario - 1 Built to Last
There is one server and 25 networked workstations. The asset we want to protect here the most is our server.
The reason server is the most important commodity is because there is only one server and because of this reason the data flow in the whole company has to be passed through the only server the company owns. If the server is physically damaged or stolen then the whole work flow of the company will be disrupted and all the information will be leaked which can be used against the company itself.
The access control which would be preferable will be physical control. The objective of using the physical control is because to tamper with the server itself it is always needed to make a physical contact with the server. For example inserting a foreign hard drive, optical drive or removing some key parts from the server. Restricting from accessing the server itself protects it the most and thus server room can be locked and access should be given to a limited amount of trustworthy people only.
Scenario - 2 GovtPartsTrains
GovtPartsTrains is a big organisation and thus it owns 15 servers and 250 workstations. As the organisation gets bigger it becomes hard to secure it and thus that becomes a vulnerability. Here this vulnerability is present on each of the workstation and this can be exploited to gain information and data by a foreign oraganization.
Even though the workstations will be password protected it is nowadays very easy to crack it open and thus Access Control Hardware Controls should be implemented. Each employee can use their ID Card to unlock the workstation to resume working on it. This ensures that the remote access to that workstation is restricted and thus makes a secure environment. Even if the intruder gains access to the workstation he will not be able to exploit anything because the system itself will refuse to start without a physical ID Card and thus security can be ensured.
Scenario - 3 Geeks-R-Us
Now this organisation is a multinational company and thus it will have many servers and workstations overseas. Employees communicate using smartphones, tablet PCs, laptops, and E-mail. They even work from home and during travels. For any organisation it will be impossible to secure various devices for a single emplyee and thus security here will be very weak. Each employee's ID will have certain privilege access to some controls. The higher the post of that person higher the controls he will be able to access and thus his or her Login details are very crucial.
Here the Access Control Logical/Technical Controls will be used. The reason behind this is if someone gains access to any of the device the employee uses to gain access to his computer system or his network not only he will be able to steal an insanely huge amount of data but also he can tamper with the system as well and thus inflict damage on the whole system which can even result in an incomparable amount of losses that the company may suffer. By restricting the network by a password can safegaurd the company from any intrusion.