Mandatory and Discretionary Access Control and Security

Words: 3603 Pages: 13

Identify and contrast two different approaches used to categorise access control methodologies. List and critique the types of controls found in each

Access control methodology Approach

Mandatory Approach and Discretionary

Access controls can be either mandatory or discretionary. A mandatory access control approach allocates a specific security mark or label to an individual object and the subjects relating to the object. This label defines the degree of sensitivity of the object.

Examples of sensitivities include public, secret, top private, secret and, sensitive (Whitman, & Mattord, 2010, p. 65)). In a discretionary access control approach, however, the subject’s identity is used to decide which object they have access. The owner of the object is the judge of the subjects who can be allowed access to an object. In discretionary access control, the administrator determines what needs to be protected and how data may be shared. This is in contrast to mandatory access control where the system decides how the data will be shared.

Discretionary access control is more common in operating systems but less secure compared to mandatory access control. In mandatory access control, the label attached to the subject determines the clearance that they have to access objects and the category or class of the objects that they can access. In discretionary access control, the class of the object determines the subjects allowed to view it. Some forms of mandatory access control allow subjects access to objects below the level (Whitman, & Mattord, 2010, p.69), which they are allowed to view the objects.

Mandatory access control is used in systems requiring critical security such as military installations and programs while discretionary access control is more in commercial operating systems (OMB Circular A-130, 2000). Mandatory access control is also harder to program, configure, and implement compared to discretionary access control. Mandatory access control is orange book B-level while discretionary access control is orange book C-level. Discretionary access control also relies on object owner to control access while mandatory access control relies on the system to control access.

Rule-Based Access Control

Rule-based access control is a common form of mandatory access control. In this type of access control, subjects use a rule set to determine access to objects. Security clearance is given based on the necessity of the object to the subject (Whitman, & Mattord, 2010, p.69). This means that a subject can only access an object depending on the priority of the object to the subject’s work. The necessity is predetermined and employees can only access information that is necessary for them to do their job. This type of access control, despite being secure, may hamper information sharing within an organisation limiting the efficiency of the work processes. It is also time consuming and difficult to construct and maintain, and requires a good infrastructure base to operate.

Identity-Based Access Control

In discretionary access control, a common type of implementation is the identity based access control (OMB Circular A-130, 2000). In this type of access control, the decision of access to objects is determined by a user ID or in most instances a membership group for users. In this access control, the instance of identity theft is possible, and the results can mean an outsider or unauthorised person accessing classified information.

A different approach of classifying access control is logical, organisational, physical, and personal controls. Logical controls involve the protection of data, network assets, and access to the organisation’s applications among others. Physical controls include locks doors, alarms, physical barriers, and surveillance. Organisational controls involve mainly the formulation of rules and regulations within the organisation. Another control used is personal control, which makes use of sanctions, awareness and training.

These are inferior to mandatory access control and discretionary access control due to their proven weakness in information security. They are, however used in conjunction with MAC and DAC in almost all institutions as backup to the main access controls.

Conclusion

In conclusion, the main categories of access control are mandatory access control (MAC) and discretionary access control (DAC). These have been discussed with mandatory access control being more secure when compared to DAC.

Contrast the ISO/IEC 27001 outline with the NIST documents outlined in the textbook, Chapter 6. Which areas, if any, are missing from the NIST documents? Identify the strengths and weaknesses of the NIST programs compared to the ISO standard

Both ISO/IEC 27001 and NIST documents are standards, which provide a detailed risk management approach for IT assets. Both are closely aligned with related steps aimed at achieving the same goal of effective risk management (OMB Circular A-130, 2000). The ISO/IEC 27001 establishes guidelines for initiating, implementing, maintaining, and improving information security management. It has multiple possible controls with each having categories of information such as objectives, which is a control that is relevant to the achievement of the objectives and the implementation guidance along with other relevant information.

NIST documents lists 172 controls and has been in existence for a long time. It developed because of the cooperation between the government and industry professionals. It is constantly reviewed to improve and keep it up to date. Its use is spread throughout organizations since it is easily accessible and available. Some examples include the SP 800-12 computer security handbook and SP 800-30 risk management for information technology systems (OMB Circular A-130, 2000).

Contrast

The ISO/IEC 27001 outline defines the scope of information security management system (ISMS). The initial step is the definition of an information security management system policy after which the approach to risk assessment is defined (Whitman, & Mattord, 2010, p.76). The risks are identified and assessed. Options available for the treatment of the identified risks are also identified, and a statement of applicability prepared.

The administrators come up with a plan on how to treat the risk after which they implement the controls, training, and awareness programs. The operations are managed and procedures implemented to detect and respond to security incidents. Monitoring procedures should then be put in place with regular reviews of effectiveness. Internal auditing is necessary and any change is made.

On the contrary, NIST identifies 17 controls, which are then categorised into three (OMB Circular A-130, 2000). These categories are management controls, operational controls and technical controls (Stoneburner, Hayden, & Feringa, 2004). Management controls address managerial security topics while operational controls address those focusing on the controls enforced and accomplished by the people. On the other hand, technical control docket majors on defense management accomplished by computer systems.

While ISO focuses mainly on management practices, NIST is more concerned with tactical organisational issues. Of the two methods, it has been shown that ISO provides greater guidance to NIST on third party relationships. However, both recommend the same controls with ISO listing 133 controls, while NIST lists 172 controls (Stoneburner, Hayden, & Feringa, 2004). This means that both are comprehensive with NIST being more comprehensive and detailed compared to ISO (Stoneburner, Hayden, & Feringa, 2004). This can be a disadvantage since it means investing more time in the procedure and making it tedious.

Strengths and Weaknesses

NIST documents have a number of advantages over the ISO/IEC 27001 outline. NIST documents are available at no charge to the public and access is unlimited to anyone with the capacity to use them. This is in contrast to the ISO/IEC 27001 outline, which is difficult to find and implement. The NIST documents are reliable since the government and relevant industry professionals review them broadly to ensure they are of quality and efficient.

The ISO/IEC 27001 outline is criticised for the manner in which it was prepared. Critics state that it was prepared in a rush. This is in contrast to NIST documents that have been available for some time making them more efficient and reliable. NIST provides little guidance on design and implementation of new security systems. This means that frequent reviews have to take place with installations taking place now and then.

Conclusion

While both ISO and NIST provide a detailed approach to management of risks for IT assets, the ISO/IEC 27001 outline has received criticism for its availability. NIST, on the other hand, is freely available and has been around for a long time having been crafted by the government in collaboration with relevant stakeholders. Both provide a basis for the development of security systems and access control. A comparison of both methods is given with just few differences and many similarities in their operation.

Critique the recommended process for the development of information security measurement program implementation

Critique

When organisations are developing information security management programs, it is recommended that they first do benchmarking. This is drawing ideas from experienced organisations, established models, and practices (Whitman, & Mattord, 2010, p.56).

This can be important in determining the controls to be considered. A weakness of benchmarking is that one cannot accurately determine how the controls gathered can be implemented in the new organisation. Another challenge is that most competing organisations are not willing to assist their competitors with information that may put them at a better position in the market (Whitman, & Mattord, 2010, p.77). This is a major challenge, as organisations prefer keeping secret their encounters with threats, as revealing them may cause loss of organisational respect.

An organisation should commit to due diligence in implementing controls at established minimum standards. Legal liability may result should the organisation fail to demonstrate due care and due diligence. Best practices are those that seek to provide a superior level of performance in information protection (The Security Risk Management Guide, 2006). The need for access to information should be balanced with the need to protect the gathered information, and companies should show fiscal responsibility.

Some companies may opt to utilise the gold standard. This model demonstrates industrial leadership and care for information with minimum risk to threats.

Companies choosing this method should however be prepared financially since this method requires a large budget and personnel. The most available method to an organisation should be chosen therefore with consideration of the potential threats, the size of the company, and the financial base it controls.

In industries where government regulation is common, the guidelines followed are not within the control of the local organisations. This may pose the risk of poor practice as some organisations may set higher standards than those set by the

regulating body, which is the government. However, in some organisations, the government policy may be useful in informing selections and best practices. The factors considered in the development of best practice consider the type of organisation and the challenges that it faces. A comparison of the organisational structure is made and resources available to the organisation classified.

In the recommended process of information development, priority is given to the external threats. This is despite the fact that most of the threats to a firm in terms of information management are from within the company. A good information management system should be able to control internal and external threats equally (The Security Risk Management Guide, 2006). In the proposed method, there is no categorisation of companies in terms of their size. It assumes that all companies can put up an information management system irrespective of their sizes. Suggestions for appropriate information management systems should be based on the capabilities of different firms.

The proposed management of risks also assumes that systems and network threats of information are static and information security systems can only be set up once. This is not the case since threats together with their sources are constantly changing, and any measure to deal with them requires to be updated every now and then. A solid information security program requires involvement of all the involved parties in equal contribution. In the proposed information security measurement program implementation, focus is only on the organizations and their operators without consideration of other industry players. This is a weakness since for it to work, it has to be clear and acceptable to everyone involved.

Conclusion

In conclusion, information security is a priority in any organisation. The proposed method of information security management program is effective and precise. It is well stated with the various steps outlined in an easy-to-understand/apply method. However, gross assumptions are made about the sizes of various organisations and their capabilities. The method of benchmarking is also not effective in practice, as stated. There needs to be a well-defined method of benchmarking. An assumption is also made that threats are static and require constant method of deterrence. This, as seen in the paper, is wrong since threats are mutating every single day.

Consider a small internet commerce company with ten employees and identify threats to its information security. Assume that this company uses an outside vendor for its order fulfillment. Once the list of threats has been generated, assign a likelihood score to each threat. Justify your answer

Threats

A small internet commerce company with ten employees and using an outside vendor for order fulfillment faces threats to its information security. In this kind of firm, the employees are likely to know each other personally and are not likely to threaten the company at a personal level as compared to a larger organisation (Whitman, & Mattord, 2010, p.54). Some of the threats that this company faces to its information security include environmental, organisational, deliberate attacks, technical failures, and human errors.

These threats are general to any orgarnisation irrespective of the size, but in a small organisation like the example above, there are specific threats that are more common compared to a relatively larger organization. These are discussed in detail. However, special attention goes to the intentional threats from external sources such as in the order fulfillment.

The most common threat that an internet company faces are deliberate acts like theft and hacking. These are intended to cause harm to the organisation, and are due to vandalism or most commonly, espionage. Phishing and malicious codes are also common methods used to ground internet firms especially the susceptible ones like the one above. The likelihood score of deliberates acts as threats is set at very high because they are common and cause the most damage.

In environmental threats, natural phenomena like earthquakes, storms, hurricanes, floods and lightening are just but a few of the examples. These threats are largely unpredictable and hard to control, and the magnitude of damage done to the information security system may be large and expensive. Since the small company uses an outside vendor for its order fulfillment, a cut in the supply may be unavoidable in times of an environmental threat. The likelihood score of environmental threats is low because they are not frequent and do not necessarily involve damage to the security systems.

A more common threat to a firm of this magnitude is human error (Whitman, & Mattord, 2010, p.56). These include deletion of files by mistake, unnecessary writing down of passwords in insecure places like stickers and rough papers and the missing of critical dates.

An employee may also mistakenly send an email to a wrong address. These are threats due to human errors and are not intentional. When these types of threats occur, they threaten information security in the firm indirectly and may cause grave damage. They are largely also, unpredictable and any control method may be the victim of such threats. The likelihood score of human errors is medium. This is because they are not frequent but whenever they occur, they can cause significant risk to the firm’s information.

Technical failures are also common in this size of an internet commerce company. A hardware failure often results to compromise of the information security system. The optimum functioning of hardware is crucial for any intact security management system to counter any threats. A computer hard disk with the systems may crash leading to loss of information and data that is of importance to the firm. This may then lead to the eventual unrecoverable data loss. Another type of technical failure is short circuits within the hardware electrical systems involved in the security of information. The likelihood score for technical failures is set at medium risk because they also cause much damage to the information system. They are also rare and taken care of in most security systems.

In a small organisation as the one provided, inadequate planning and consultation along with financing may provide a chance to the threat of organisational deficits. These organisational deficits include the presence of ill-defined responsibilities of the workers. Organisational deficits are likely to occur in this kind of organisation and thus the likelihood score is high. This is due to the limited information, size of the control processes, and financing.

Conclusion

Seen above the threats that may face a small internet firm include environmental threats, human errors, technical failures, organisational deficits, and deliberate acts. These may be accidental, incidental, because of human mistakes, espionage, or due to vandalism. The threats have also been scored with justification.

Research the Microsoft risk management approach and write a report describing each of the four phases in the security risk management process. Make a list of questions or concerns you may have with the described approach

Microsoft, one of the leading IT Companies, has set up a risk management process with four phases. The phases include risk assessment, conducting decision support, implementing controls, and measuring program effectiveness. Each of these four phases is discussed in detail below with a critical analysis of what each entails.

Microsoft states assessing risks in a business is the first phase in one’s risk management. Risk assessment involves identification of risks that an organisation faces, classifying the risks and setting up priorities. Planning in the risk assessment step is considered important because if builds a solid foundation for a favorable and successful risk assessment. In this step, information regarding possible risks is collected from stakeholders in the organisation.

In the information gathering, the assets of the organisation are identified and description in terms of their value to the organisation follows (Microsoft 2012). Vulnerabilities of the assets are then established following the organisational guidelines and priorities. Scrutiny of the existing controls, as regards to their effectiveness in the organisation, is carried out with attention to the current and future risks.

In the assessing risk step, prioritisation of the risk is important. This involves conducting a summary level of prioritising risk, reviewing it with the relevant stakeholders, and arrangement of the risks according to the impact they would have on an organisation. A summary of the data gathering process and the findings are then published for discussion with the relevant stakeholders with the initial analysis of possible control methods.

The next phase is conducting decision support, which involves naming the available control options for risks identified in the fists phase based on a laid down process of cost-benefit analysis. Appropriate control actions are established for the risks identified in the initial phase. This step is further subdivided into various sub-steps as the first phase. The functional requirements in the mitigation of risks are defined (Microsoft 2006).

Potential control solutions are then selected and reviewed. In each of the selected controls, the risk reduction is then estimated and the direct and indirect costs of the control defined. An organisation should then have the most appropriate control after the cost-benefit analysis is complete for each of the risks identified.

The third phase in the Microsoft security risk management process is the implementation of controls (Microsoft, 2006). After identification of feasible control methods in the previous step, an organisation has to set up the preferred method of control. This involves a holistic approach where the workforce, affordable and available technology, and processes are integrated to facilitate the optimum function-ability of the desired control method. The control method is set up with expertise in a friendly manner to the subjects involved. The aim of the access control should be to achieve total management of the outlined risks.

The fourth and last phase is the measuring of program effectiveness. In this phase, an organisation estimates its progress in the management of the security risks: a scorecard is developed. The organisation tests the control methods besides establishing any vulnerability, at the same time establishing opportunities for improvement of the control.

Questions and concerns for the approach

The Microsoft approach to risk management is easy to understand and incorporates most of the known process. However, a prominent question is the duration of each of the phase of the approach. The phases are also related and there seems to be no distinct boundary of the various phases with some steps featuring in more than one phase. In the assessment of risk phase, there is no indication of the method used to assess the risk to a business. The risk assessment should assist entrepreneurs and organisations in risk management by proposing risks available and providing the most appropriate control method. With reference to the above, I would like to ask the following questions,

What is the approximate amount to time required in each phase?
Which is the most important phase in the Microsoft approach?
Is this approach equally applicable to both small and large companies?
Is there a difference between the four phases or are they all related?
With the above question raised, I would also like to raise a concern of effectiveness of the phases in the Microsoft risk management approach.

Conclusion

Microsoft proposes a security risk management process with four phases. These include assessing risk, conducting decision support, implementing controls, and measuring program effectiveness. These are comprehensive enough to enable companies and big organisations put in place a solid risk management process.

Reference List

Microsoft (2012). The Four Phases of the Microsoft Security Risk Management – MCSE Certification boot camp UK Guide. (n.d.). MCITP Boot Camp | MCITP MCSE CCNA Certification Boot Camp | MCSE MCITP Training Boot Camp | MCSE CCNA MCITP Bootcamp San Mateo California | MCSE MCITP Boot Camp Maryland Baltimore. Web.

OMB Circular A-130. (2000). Management of Federal Information Resources. Appendix III. Web.

Stoneburner, G., Hayden, C., & Feringa, A. (2004). NIST Special Publication 800-27.

Engineering Principles for IT Security. U.S: U.S Department of Commerce.

The Security Risk Management Guide (2006). Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence. Web.

Whitman, M., & Mattord, H. (2010). Management Of Information Security 3ed Course Technology. Boston: Word Press.