5.3 : Logical Access (Doshi) Flashcards
Logical access controls in information technology is used for the following (4):
(1) identification
(2) authentication
(3) authorization, and
(4) accountability in computer information systems
The two main types of access controls:
(1) physical and
(2) logical
Physical access control
Limits access to campuses, buildings, facilities, and physical IT assets
Logical access control
Limits connections to computer networks, system files and data.
Four main categories of access controls are:
(1) Mandatory Access Control (MAC)
(2) Discretionary access control (DAC)
(3) Role-based access control
(4) Rule-based access control
Mandatory Access Control (MAC)
is logical access control that cannot be controlled or modified by normal users or data owners.
Discretionary Access Control (DAC)
(DACs) are logical access control that may be activated or modified by the data owners at their discretion.
MAC compared to DAC ; in terms of data security, which is the best choice
MACs are better choice
Steps to follow when implementing logical access control:
(1) Inventory of IS resources
(2) Classification of IS resources
(3) Grouping/labeling of IS resources
(4) Creation of an access control list
What is the first step on data classification?
Identify the owner of the data/application
Automated password management tool vs Manual password management tool
In any given scenario, an automated password management tool works as best preventive control and ensures compliance with password management policy
Preventive controls as compared to detective and deterrent controls
In any given scenario, PREFERENCE to be given to PREVENTATIVE controls as compared to detective or deterrent controls.
Automated controls as compared to manual controls
In any given scenario, preference to be given to automated controls as compared to manual controls
What is the prime objective of review of logical access control?
to ensure access have been assigned as per organization’s authorization
In any given scenario, data owner/system owner is ultimately responsible
for defining the access rules.
In any given scenario, following are the logical steps for data classification:
- First step is to have inventory of Information Assets.
- Second step is to establish ownership.
- Third step is classification of IS resources.
- Fourth step is labelling of IS resources.
- Fifth step is creation of access control list.
In any given scenario, accountability for the maintenance of proper security controls over information assets resides with
the data owner/system owner.
In any given scenario, greatest benefit of well defined data classification policy is
decreased cost of control.
In any given scenario, most important objective of data protection is to
(i) ensure integrity/confidentiality of data and (ii) establish appropriate access control guidelines.
Data classification must take into account following requirements:
- Legal/Regulatory/Contractual
- Confidentiality
- Integrity
- Availability
In information technology, logical access controls are tools and protocols used for
identification, authentication, authorization, and accountability in computer information systems.
The four main categories of access control are:
Mandatory access control
Discretionary access control
Role-based access control
Rule-based access control
Mandatory Access Control: Mandatory Access Controls (MACs) are logical access control that cannot be
controlled or modified by normal users or data owners.
Discretionary Access Control: Discretionary Access Controls (DACs) are logical access control that may be
activated or modified by the data owners at their discretion.
)In any given scenario, MACs are BEST choice in terms of data security
as compared to DACs.
In any given scenario, following are the steps for implementing logical access controls:
(a) Inventory of IS resources.
(b) Classification of IS resources.
(c) Grouping/labelling of IS resources.
(d) Creation of an access control list.
In any given scenario, first step in data classification is
to identify the owner of the data/application.
In any given scenario, an automated password management tool works as
BEST preventive control and ensures compliance with password management policy.
Please note below access control best practices for wireless security. Invariably 2-3 questions will be there on this concept:
(a)Enable MAC address filtering:
Every Machine (PC/Laptop/Mobiles) has a unique identification number. That is known as Media Access Control (MAC) address. So through this control, you allow access to only selected devices. Any other device trying to access you network will be rejected by your router.
(b)Disable SSID (Service set identifier) broadcasting
A Service Set Identifier (SSID) is the wireless network name broadcast by a router and it is visible for all wireless devices. When a wireless device searches the area for wireless networks it will detect the SSID.
(c)Enable WPA-2 (Wi-Fi protected access) protection:
Encryption helps to scrambles the information we send through wireless network into a code so that it’s difficult for other to access. Using encryption is the effective way to secure your network from intruders.
Two main types of encryption are available for this purpose:
Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP).
WPA 2 is the strongest
encryption standard for wireless connection as on today.
In any given scenario, preference to be given to preventive controls
as compared to detective or deterrent controls.
)In any given scenario, preference to be given to automated controls
as compared to manual controls.
In any given scenario, default deny access control policy (i.e. deny all traffic except selected ones) is more robust and stringent access control policy
as compared to default allow access control policy (i.e. allow all traffic except selected ones)
Prime objective of review of logical access control is
to ensure access have been assigned as per organisation’s authorization.