Studynama.

com powers Engineers, Doctors, Managers & Lawyers in India by providing 'free'
resources for aspiring students of these courses as well as students in colleges.

You get FREE Lecture notes, Seminar presentations, guides, major and minor projects.
Also, discuss your career prospects and other queries with an ever-growing community.

Visit us for more FREE downloads: www.studynama.com

ALL FILES ON STUDYNAMA.COM ARE UPLOADED BY RESPECTIVE USERS WHO MAY OR MAY NOT BE THE OWNERS OF THESE FILES. FOR ANY SUGGESTIONS OR FEEDBACK, EMAIL US AT [email protected]
 CS1015 – INFORMATION SECURITY
UNIT 1 FUNDAMENTALS 9
History − What is Information Security? − Critical characteristics of information − NSTISSC
security model − Components of an information system − Securing the components −
Balancing security and access − SDLC − Security SDLC.
UNIT II SECURITY INVESTIGATION 9
Need for security − Business needs − Threats − Attacks − Legal, Ethical and professional
issues.
UNIT III SECURITY ANALYSIS 9
Risk management − Identifying and assessing risk − Assessing and controlling risk.
UNIT IV LOGICAL DESIGN 9
Blueprint for security − Information security policy − Standards and practices – ISO
17799/BS 7799 − NIST Models − VISA International Security Mode l − Design of Security
architecture − Planning for continuity.
UNIT V PHYSICAL DESIGN 9
Security technology − IDS − Scanning and analysis tools − Cryptography – Access Control
devices − Physical security − Security and personnel.
Total: 45
TEXT BOOKS
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security”, Vikas
Publishing House, 2003.
2. Micki Krause and Harold F.Tipton, “Handbook of Information Security Management”, Vol 1-
3 CRC Press LLC,2004
REFERENCES
1. Stuart Mc Clure, Joel Scrambray and George Kurtz, “Hacking Exposed”, Tata McGraw-Hill,
2003.
2. Matt Bishop, “Computer Security Art and Science”, Pearson/PHI, 2002.
3. Patel, “Information Security : Theory and Practice”, PHI, 2006.
4. Straub, “Information Security: Policy, Processes and Practices”, PHI, 2009.
 UNIT 1 FUNDAMENTALS

History − What is Information Security? − Critical characteristics of information − NSTISSC

security model − Components of an information system − Securing the components −
Balancing security and access − SDLC − Security SDLC.

UNIT - 1 : INTRODUCTION

I. . History

Introduction
 Information security: a ―well-informed sense of assurance that the information risks and
controls are in balance.‖ — Jim Anderson, Inovant (2002)
 Necessary to review the origins of this field and its impact on our understanding of
information security today
The 1970s and 80s

 ARPANET grew in popularity as did its potential for misuse

 Fundamental problems with ARPANET security were identified
 No safety procedures for dial-up connections to ARPANET
 Nonexistent user identification and authorization to system
 Late 1970s: microprocessor expanded computing capabilities and security threats
 Information security began with Rand Report R-609 (paper that started the study of
computer security
 Scope of computer security grew from physical security to include:
 Safety of data
 Limiting unauthorized access to data
 Involvement of personnel from multiple levels of an organization

The 1990s
 Networks of computers became more common; so too did the need to interconnect
networks
 Internet became first manifestation of a global network of networks
 In early Internet deployments, security was treated as a low priority
The Present
 The Internet brings millions of computer networks into communication with each other—
many of them unsecured
 Ability to secure a computer‘s data influenced by the security of every computer to which
it is connected

What is Security?
 ―The quality or state of being secure—to be free from danger‖
 A successful organization should have multiple layers of security in place:
 Physical security
  Personal security
 Operations security
 Communications security
 Network security
 Information security

Critical Characteristics of Information

 The value of information comes from the characteristics it possesses:
 Availability
 Accuracy
 Authenticity
 Confidentiality
 Integrity
 Utility
 Possession

NSTISSC Security Model

Components of an Information System

 Information system (IS) is entire set of software, hardware, data, people, procedures, and
networks necessary to use information as a resource in the
organization

Balancing security and access

SDLC Systems Development Life Cycle

The Security Systems Development Life Cycle

 The same phases used in traditional SDLC may be adapted to support specialized
implementation of an IS project
 Investigation
 Analysis
 Logical design
 Physical design
 Implementation
 Maintenance & change

 Identification of specific threats and creating controls to counter them

Senior Management
 Chief Information Officer (CIO)
 Senior technology officer
 Primarily responsible for advising senior executives on strategic planning
 Chief Information Security Officer (CISO)
 Primarily responsible for assessment, management, and implementation of IS in
the organization
 Usually reports directly to the CIO

Information Security Project Team

 A number of individuals who are experienced in one or more facets of required technical
and nontechnical areas:
 Champion
 Team leader
 Security policy developers
 Risk assessment specialists
 Security professionals
 Systems administrators
 End users

Data Ownership
 Data owner: responsible for the security and use of a particular set of information
 Data custodian: responsible for storage, maintenance, and protection of information
 Data users: end users who work with information to perform their daily jobs supporting
the mission of the organization
Information Security: Is it an Art or a Science?
 Implementation of information security often described as combination of art and science
 ―Security artesan‖ idea: based on the way individuals perceive systems technologists
since computers became commonplace

Security as Art
 No hard and fast rules nor many universally accepted complete solutions
 No manual for implementing security through entire system

Security as Science
 Dealing with technology designed to operate at high levels of performance
 Specific conditions cause virtually all actions that occur in computer systems
 Nearly every fault, security hole, and systems malfunction are a result of interaction of
specific hardware and software
 If developers had sufficient time, they could resolve and eliminate faults

Security as a Social Science

 Social science examines the behavior of individuals interacting with systems
 Security begins and ends with the people that interact with the system
 Security administrators can greatly reduce levels of risk caused by end users, and create
more acceptable and supportable security profiles

 Dealing with technology designed to operate at high levels of performance

Specific conditions
 Unit –II
SECURITY INVESTIGATION

Need for security − Business needs − Threats − Attacks − Legal, Ethical and professional
issues.

I. Need for security

Learning objective
Upon completion of this chapter you should be able to:
– Understand the business need for information security.
– Understand a successful information security program is the responsibility of an
organization‘s general management and IT management.
– Understand the threats posed to information security and the more common
attacks associated with those threats.
– Differentiate threats to information systems from attacks against information
systems.
Business Needs First,
Technology Needs Last
Information security performs four important functions for an organization:
– Protects the organization‘s ability to function
– Enables the safe operation of applications implemented on the organization‘s IT
systems
– Protects the data the organization collects and uses
– Safeguards the technology assets in use at the organization

Protecting the Ability to Function

 Management is responsible
 Information security is
– a management issue
– a people issue
 Communities of interest must argue for information security in terms of impact and cost

Enabling Safe Operation

 Organizations must create integrated, efficient, and capable applications
 Organization need environments that safeguard applications
 Management must not abdicate to the IT department its responsibility to make choices
and enforce decisions

Protecting Data
 One of the most valuable assets is data
 Without data, an organization loses its record of transactions and/or its ability to deliver
value to its customers
 An effective information security program is essential to the protection of the integrity
and value of the organization‘s data

Safeguarding Technology Assets

 Organizations must have secure infrastructure services based on the size and scope of the
enterprise
 Additional security services may have to be provided
 More robust solutions may be needed to replace security programs the organization has
 outgrown

Threats
 Management must be informed of the various kinds of threats facing the organization
 A threat is an object, person, or other entity that represents a constant danger to an asset
 By examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls
 The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement
 The 2002 CSI/FBI survey found:
– 90% of organizations responding detected computer security breaches within the
last year
– 80% lost money to computer breaches, totaling over $455,848,000 up from
$377,828,700 reported in 2001
– The number of attacks that came across the Internet rose from 70% in 2001 to
74% in 2002
– Only 34% of organizations reported their attacks to law enforcement

Acts of Human Error or Failure

 Includes acts done without malicious intent
 Caused by:

– Inexperience
– Improper training
– Incorrect assumptions
– Other circumstances
 Employees are greatest threats to information security – They are closest to the
organizational data

Acts of Human Error or Failure

 Employee mistakes can easily lead to the following:
 – revelation of classified data
– entry of erroneous data
– accidental deletion or modification of data
– storage of data in unprotected areas
– failure to protect information
 Many of these threats can be prevented with controls

Deviations in Quality of Service by Service Providers

 Situations of product or services not delivered as expected
 Information system depends on many inter-dependent support systems
 Three sets of service issues that dramatically affect the availability of information and
systems are
– Internet service
– Communications
– Power irregularities

Internet Service Issues

 Loss of Internet service can lead to considerable loss in the availability of information
– organizations have sales staff and telecommuters working at remote locations

 When an organization outsources its web servers, the outsourcer assumes responsibility
for
– All Internet Services
– The hardware and operating system software used to operate the web site

Services
 Other utility services have potential impact
 Among these are
– telephone
– water & wastewater
– trash pickup
 – cable television
– natural or propane gas
– custodial services
 The threat of loss of services can lead to inability to function properly

Power Irregularities
Voltage levels can increase, decrease, or cease:
– spike – momentary increase
– surge – prolonged increase
– sag – momentary low voltage
– brownout – prolonged drop
– fault – momentary loss of power
– blackout – prolonged loss
 Electronic equipment is susceptible to fluctuations, controls can be applied to manage
power quality

Espionage/Trespass
 Broad category of activities that breach confidentiality
– Unauthorized accessing of information
– Competitive intelligence (the legal and ethical collection and analysis of
information regarding the capabilities, vulnerabilities, and intentions of business
competitors) vs. espionage
– Shoulder surfing can occur any place a person is accessing confidential
information
 Controls implemented to mark the boundaries of an organization‘s virtual territory giving
notice to trespassers that they are encroaching on the organization‘s cyberspace
 Hackers uses skill, guile, or fraud to steal the property of someone else

Espionage/Trespass
 Generally two skill levels among hackers:
– Expert hacker
• develops software scripts and codes exploits
• usually a master of many skills
• will often create attack software and share with others
– Script kiddies
• hackers of limited skill
• use expert-written software to exploit a system
• do not usually fully understand the systems they hack
 Other terms for system rule breakers:
– Cracker - an individual who ―cracks‖ or removes protection designed to prevent
unauthorized duplication
– Phreaker - hacks the public telephone network

Information Extortion
 Information extortion is an attacker or formerly trusted insider stealing information from
a computer system and demanding compensation for its return or non-use
 Extortion found in credit card number theft

Sabotage or Vandalism
 Individual or group who want to deliberately sabotage the operations of a computer
system or business, or perform acts of vandalism to either destroy an asset or damage the
image of the organization
 These threats can range from petty vandalism to organized sabotage
 Organizations rely on image so Web defacing can lead to dropping consumer confidence
and sales
 Rising threat of hacktivist or cyber-activist operations – the most extreme version is
cyber-terrorism

Deliberate Acts of Theft

 Illegal taking of another‘s property - physical, electronic, or intellectual
 The value of information suffers when it is copied and taken away without the owner‘s
knowledge
 Physical theft can be controlled - a wide variety of measures used from locked doors to
guards or alarm systems
 Electronic theft is a more complex problem to manage and control - organizations may
not even know it has occurred

Deliberate Software Attacks

 When an individual or group designs software to attack systems, they create malicious
code/software called malware
– Designed to damage, destroy, or deny service to the target systems
 Includes:
– macro virus
– boot virus
– worms
– Trojan horses
– logic bombs
– back door or trap door
– denial-of-service attacks
– polymorphic
– hoaxes
Compromises to Intellectual Property
 Intellectual property is ―the ownership of ideas and control over the tangible or virtual
representation of those ideas‖
 Many organizations are in business to create intellectual property
– trade secrets
– copyrights
– trademarks
– patents
 Most common IP breaches involve software piracy
 Watchdog organizations investigate:
– Software & Information Industry Association (SIIA)
– Business Software Alliance (BSA)
 Enforcement of copyright has been attempted with technical security mechanisms
Forces of Nature
 Forces of nature, force majeure, or acts of God are dangerous because they are
unexpected and can occur with very little warning
 Can disrupt not only the lives of individuals, but also the storage, transmission, and use of
information
 Include fire, flood, earthquake, and lightning as well as volcanic eruption and insect
infestation
 Since it is not possible to avoid many of these threats, management must implement
controls to limit damage and also prepare contingency plans for continued operations

Technical Hardware Failures or Errors

 Technical hardware failures or errors occur when a manufacturer distributes to users
equipment containing flaws
 These defects can cause the system to perform outside of expected parameters, resulting
in unreliable service or lack of availability
 Some errors are terminal, in that they result in the unrecoverable loss of the equipment
 Some errors are intermittent, in that they only periodically manifest themselves, resulting
in faults that are not easily repeated
 This category of threats comes from purchasing software with unrevealed faults
 Large quantities of computer code are written, debugged, published, and sold only to
determine that not all bugs were resolved
 Sometimes, unique combinations of certain software and hardware reveal new bugs
 Sometimes, these items aren‘t errors, but are purposeful shortcuts left by programmers
for honest or dishonest reasons
Technological Obsolescence
 When the infrastructure becomes antiquated or outdated, it leads to unreliable and
untrustworthy systems
 Management must recognize that when technology becomes outdated, there is a risk of
loss of data integrity to threats and attacks
 Ideally, proper planning by management should prevent the risks from technology
obsolesce, but when obsolescence is identified, management must take action
Attacks
 An attack is the deliberate act that exploits vulnerability

 It is accomplished by a threat-agent to damage or steal an organization‘s information or

physical asset
– An exploit is a technique to compromise a system
– A vulnerability is an identified weakness of a controlled system whose controls
are not present or are no longer effective
– An attack is then the use of an exploit to achieve the compromise of a controlled
system
–
Malicious Code
 This kind of attack includes the execution of viruses, worms, Trojan horses, and active
web scripts with the intent to destroy or steal information
 The state of the art in attacking systems in 2002 is the multi-vector worm using up to six
attack vectors to exploit a variety of vulnerabilities in commonly found information
system devices

Attack Descriptions
 IP Scan and Attack – Compromised system scans random or local range of IP addresses
and targets any of several vulnerabilities known to hackers or left over from previous
exploits
 Web Browsing - If the infected system has write access to any Web s, it makes all
Web content files infectious, so that users who browse to those s become infected
 Virus - Each infected machine infects certain common executable or script files on all
computers to which it can write with virus code that can cause infection
 Unprotected Shares - using file shares to copy viral component to all reachable locations
 Mass Mail - sending e-mail infections to addresses found in address book
 Simple Network Management Protocol - SNMP vulnerabilities used to compromise and
infect
 Hoaxes - A more devious approach to attacking computer systems is the transmission of a
virus hoax, with a real virus attached

 Back Doors - Using a known or previously unknown and newly discovered access
mechanism, an attacker can gain access to a system or network resource
 Password Crack - Attempting to reverse calculate a password
 Brute Force - The application of computing and network resources to try every possible
combination of options of a password
 Dictionary - The dictionary password attack narrows the field by selecting specific
accounts to attack and uses a list of commonly used passwords (the dictionary) to guide
guesses
 Denial-of-service (DoS) –
– attacker sends a large number of connection or information requests to a target
– so many requests are made that the target system cannot handle them
successfully along with other, legitimate requests for service
– may result in a system crash, or merely an inability to perform ordinary functions
 Distributed Denial-of-service (DDoS) - an attack in which a coordinated stream of
requests is launched against a target from many locations at the same time

 Spoofing - technique used to gain unauthorized access whereby the intruder sends
messages to a computer with an IP address indicating that the message is coming from a
trusted host
 Man-in-the-Middle - an attacker sniffs packets from the network, modifies them, and
inserts them back into the network
 Spam - unsolicited commercial e-mail - while many consider spam a nuisance rather than
an attack, it is emerging as a vector for some attacks
 Mail-bombing - another form of e-mail attack that is also a DoS, in which an attacker
routes large quantities of e-mail to the target
 Sniffers - a program and/or device that can monitor data traveling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information from a network
 Social Engineering - within the context of information security, the process of using
social skills to convince people to reveal access credentials or other valuable information
to the attacker
 People are the weakest link. You can have the best technology; firewalls, intrusion-
detection systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything.‖
 ―brick attack‖ – the best configured firewall in the world can‘t stand up to a well placed
brick
 Buffer Overflow –
– application error occurs when more data is sent to a buffer than it can handle
 – when the buffer overflows, the attacker can make the target system execute
instructions, or the attacker can take advantage of some other unintended
consequence of the failure
 Timing Attack –
– relatively new
– works by exploring the contents of a web browser‘s cache
– can allow collection of information on access to password-protected sites
– another attack by the same name involves attempting to intercept cryptographic
elements to determine keys and encryption algorithms

UNIT-III

SECURITY ANALYSIS

Risk management − Identifying and assessing risk − Assessing and controlling risk.

Risk management

Risk Management

 If you know the enemy and know yourself, you need not fear the result of a hundred
battles.
 If you know yourself but not the enemy, for every victory gained you will also suffer a
defeat.
 If you know neither the enemy nor yourself, you will succumb in every battle.‖ (Sun Tzu)

Know Ourselves
 First, we must identify, examine, and understand the information, and systems, currently
in place
 In order to protect our assets, defined here as the information and the systems that use,
 store, and transmit it, we have to understand everything about the information
 Once we have examined these aspects, we can then look at what we are already doing to
protect the information and systems from the threats

Know the Enemy

 For information security this means identifying, examining, and understanding the threats
that most directly affect our organization and the security of our organization‘s
information assets
 We then can use our understanding of these aspects to create a list of threats prioritized
by importance to the organization

Accountability for Risk Management

 It is the responsibility of each community of interest to manage risks; each community
has a role to play:
– Information Security - best understands the threats and attacks that introduce risk
into the organization
– Management and Users – play a part in the early detection and response process -
they also insure sufficient resources are allocated
– Information Technology – must assist in building secure systems and operating
them safely

Accountability for Risk Management

 All three communities must also:
– Evaluate the risk controls
– Determine which control options are cost effective
– Assist in acquiring or installing needed controls
– Ensure that the controls remain effective

Risk Management Process

 Management reviews asset inventory
 The threats and vulnerabilities that have been identified as dangerous to the asset
inventory must be reviewed and verified as complete and current
 The potential controls and mitigation strategies should be reviewed for completeness
 The cost effectiveness of each control should be reviewed as well, and the decisions
about deployment of controls revisited

Risk Identification
 A risk management strategy calls on us to ―know ourselves‖ by identifying, classifying,
and prioritizing the organization‘s information assets
 These assets are the targets of various threats and threat agents and our goal is to protect
them from these threats
 Next comes threat identification:
– Assess the circumstances and setting of each information asset
– Identify the vulnerabilities and begin exploring the controls that might be used to
manage the risks

Asset Identification and Valuation

 This iterative process begins with the identification of assets, including all of the
elements of an organization‘s system: people, procedures, data and information, software,
hardware, and networking elements
 Then, we classify and categorize the assets adding details as we dig deeper into the
 analysis

Hardware, Software, and Network Asset Identification

 Automated tools can sometimes uncover the system elements that make up the hardware,
software, and network components
 Once created, the inventory listing must be kept current, often through a tool that
periodically refreshes the data

Network Asset Identification

 What attributes of each of these information assets should be tracked?
 When deciding which information assets to track, consider including these asset
attributes:
 Name
 IP address
 MAC address
 Element type
 Serial number
 Manufacturer name
 Manufacturer‘s model number or part number
 Software version, update revision, or FCO number
 Physical location
 Logical location
 Controlling entity

People, Procedures, and Data Asset Identification

 Unlike the tangible hardware and software elements already described, the human
resources, documentation, and data information assets are not as readily discovered and
documented
 These assets should be identified, described, and evaluated by people using knowledge,
experience, and judgment
 As these elements are identified, they should also be recorded into some reliable data
handling process
Asset Information for People
 For People:
– Position name/number/ID – try to avoid names and stick to identifying positions,
roles, or functions
– Supervisor
– Security clearance level
– Special skills
Asset Information for procedures
 For Procedures:
– Description
– Intended purpose
– What elements is it tied to
– Where is it stored for reference
– Where is it stored for update purposes
Asset Information for Data
 For Data:
– Classification
– Owner/creator/manager
– Size of data structure
– Data structure used – sequential, relational
– Online or offline
– Where located
– Backup procedures employed

Classification
 Many organizations already have a classification scheme
 Examples of these kinds of classifications are:
– confidential data
– internal data
– public data
 Informal organizations may have to organize themselves to create a useable data
classification model
 The other side of the data classification scheme is the personnel security clearance
structure

Information Asset Valuation

 Each asset is categorized
 Questions to assist in developing the criteria to be used for asset valuation:
– Which information asset is the most critical to the success of the organization?
– Which information asset generates the most revenue?
– Which information asset generates the most profitability?
– Which information asset would be the most expensive to replace?
– Which information asset would be the most expensive to protect?
– Which information asset would be the most embarrassing or cause the greatest
liability if revealed?
Information Asset Valuation
 Create a weighting for each category based on the answers to the previous questions
Which factor is the most important to the organization?
 Once each question has been weighted, calculating the importance of each asset
is straightforward
 List the assets in order of importance using a weighted factor analysis worksheet
Data Classification and Management
 A variety of classification schemes are used by corporate and military organizations
 Information owners are responsible for classifying the information assets for which they
are responsible
 Information owners must review information classifications periodically
 The military uses a five-level classification scheme but most organizations do not need
the detailed level of classification used by the military or federal agencies
Security Clearances
 The other side of the data classification scheme is the personnel security clearance
structure
 Each user of data in the organization is assigned a single level of authorization indicating
the level of classification
 Before an individual is allowed access to a specific set of data, he or she must meet the
need-to-know requirement
 This extra level of protection ensures that the confidentiality of information is properly
maintained

Management of Classified Data

 Includes the storage, distribution, portability, and destruction of classified information
– Must be clearly marked as such
– When stored, it must be unavailable to unauthorized individuals
– When carried should be inconspicuous, as in a locked briefcase or portfolio
 Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day
 Proper care should be taken to destroy any unneeded copies
 Dumpster diving can prove embarrassing to the organization
Threat Identification
 Each of the threats identified so far has the potential to attack any of the assets protected
 This will quickly become more complex and overwhelm the ability to plan
 To make this part of the process manageable, each step in the threat identification and
vulnerability identification process is managed separately, and then coordinated at the
end of the process
Identify and Prioritize Threats
 Each threat must be further examined to assess its potential to impact organization - this
is referred to as a threat assessment
 To frame the discussion of threat assessment, address each threat with a few questions:
– Which threats present a danger to this organization‘s assets in the given
environment?
– Which threats represent the most danger to the organization‘s information?
– How much would it cost to recover from a successful attack?
– Which of these threats would require the greatest expenditure to prevent?
Vulnerability Identification
 We now face the challenge of reviewing each information asset for each threat it faces
and creating a list of the vulnerabilities that remain viable risks to the organization
 Vulnerabilities are specific avenues that threat agents can exploit to attack an information
asset
Vulnerability Identification
 Examine how each of the threats that are possible or likely could be perpetrated and list
the organization‘s assets and their vulnerabilities
 The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions
 At the end of the process, an information asset / vulnerability list has been developed
– this list is the starting point for the next step, risk assessment

Risk Assessment
 We can determine the relative risk for each of the vulnerabilities through a process called
risk assessment

 Risk assessment assigns a risk rating or score to each specific information asset, useful in
gauging the relative risk introduced by each vulnerable information asset and making
comparative ratings later in the risk control process

Introduction to Risk Assessment

 Risk Identification Estimate Factors
– Likelihood
– Value of Information Assets
– Percent of Risk Mitigated
– Uncertainty
 Risk Determination
For the purpose of relative risk assessment:
risk =
minuspluslikelihood of vulnerability occurrence times value (or impact)
percentage risk already controlled an element of
uncertaintydentify Possible Controls
 For each threat and its associated vulnerabilities that have any residual risk, create a
preliminary list of control ideas
 Residual risk is the risk that remains to the information asset even after the existing
control has been applied

Access Controls
 One particular application of controls is in the area of access controls
 Access controls are those controls that specifically address admission of a user into a
trusted area of the organization
 There are a number of approaches to controlling access
 Access controls can be
– discretionary
– mandatory
– nondiscretionary

Types of Access Controls

 Discretionary Access Controls (DAC) are implemented at the discretion or option of the
data user
 Mandatory Access Controls (MACs) are structured and coordinated with a data
classification scheme, and are required
 Nondiscretionary Controls are those determined by a central authority in the organization
and can be based on that individual‘s role (Role-Based Controls) or a specified set of
duties or tasks the individual is assigned (Task-Based Controls) or can be based on
specified lists maintained on subjects or objects

Lattice-based Control
 Another type of nondiscretionary access is lattice-based control, where a lattice structure
(or matrix) is created containing subjects and objects, and the boundaries associated with
each pair is contained
 This specifies the level of access each subject has to each object
 In a lattice-based control the column of attributes associated with a particular object are
referred to as an access control list or ACL
 The row of attributes associated with a particular subject (such as a user) is referred to as
a capabilities table

Documenting Results of Risk Assessment

 The goal of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus on those most
needing protection first
 In preparing this list we have collected and preserved factual information about the assets,
the threats they face, and the vulnerabilities they experience
Introduction to Risk Assessment
 The process you develop for risk identification should include designating what function
the reports will serve, who is responsible for preparing the reports, and who reviews them
 We do know that the ranked vulnerability risk worksheet is the initial working document
for the next step in the risk management process: assessing and controlling risk