Chapter 4: Identity and Access Management - Section B Flashcards
Access Control Software Introduction: What is the purpose of access control softwares?
Its purpose is to prevent unauthorized access and medication to organization data and the use of system critical functions
Access Control Software Introduction: To achieve the goal, it is necessary to apply access controls across critical layers of the IS architecture (T or F)
False. All layers must have access controls
Access Control Software Introduction: What layers has the greatest degree of protection
The Network and Platform/OS layers
Access Control Software Introduction: What do you call the Network and Platform layers and why?
General Support Systems. They make up the infrastructure which the database and application layers reside
Access Control Software Introduction: OS ACS is typically restricted to ____ ____ and interfaces with ___ ____ ____ ___ and resides in ___ ____ ____ that manage and control external access to organization’s networks
Privileged Users; network access control software; network layer devices
Access Control Software Introduction: OS Access control software interfaces with database and or application access controls to protect system libraries and user data sets
True.
What are the access control functions of general operating and/or application systems?
- Create or change user profiles.
- Assign user identification and authentication.
- Apply user logon limitation rules.
- Ensure users’ access is commensurate with their job responsibilities.
- Ensure notification concerning proper use and access prior to initial login.
- Create individual accountability and auditability by logging user activities.
- Establish rules for access to specific information resources (e.g., system-level
application resources and data). - Log events.
- Report capabilities
What are the access control functions of database and or application-level systems?
- Create or change data files and database profiles
- Verify user authorization at the application and transaction level
- Verify user authorization within the application
- Verify user authorization at the field level for changes within a database
- Verify subsystem authorization for the user at the file level
- Log database/data communications access activities for monitoring access
violations
General operation and application system access control: How do they create individua accountability and auditability?
By logging user activities
General operation and application system access control: Ensure notification concerning proper use and access after the initial login (T or F)
False. Prior to initial login
Database and/or application-level access control functions: Verifies user authorization at what levels?
Application and transaction level
Database and/or application-level access control functions : Verifies authorization changes within the database ata what level?
Field level
Database and/or application-level access control functions : Verifies subsystem authorization for the user at the ___ level
file
Access Control Software Summary: What are the upper and lower layers?
Upper: Database and Application Layers
Lower: Network and Platform/OS Layers
Access Control Software Summary: The lower layers are dependent on the Upper layers (T or F)
False. The opposite is true, the upper layers depend on the lower layers to protect the general system resources
Access Control Software Summary: Upper layers provide _____ at the application level in segregating duties by function
granularity
What is a critical building block of compute security because it is needed in all access control?
Identification and Authentication
Identification and Authentication: How does it establish user accountability?
Links activities on a computer system to specific individuals.
Identification and Authentication: Common Vulnerabilities include
- Weak authentication
- Simple passwords
- Potential to bypass authentication
- Lack of Confidentiality and integrity for the store authentication Information
- Lack of encryption on authentication and protection of information transferred over a network
- User’s lack of knowledge on the risk in sharing authentication elements
Identification and Authentication: I&A differ in respect to:
- Meaning
- Method, Peripherals, and Techniques
- Attributes
- Requirement in terms of secrecy and management (
Identification and Authentication: I&A differ in attributes how?
Authentication does not have innately any attributes related to it while Identity has
Identification and Authentication: I&A differs in change how?
Identities don’t normally change, on the other hand, authentication keys are regularly changed to ensure reliability
Key Concepts of Identity Access Management: Name All the Key Concepts:
- Identify creation and access request
- Transfer Request
- Access Termination Request
- Password Communication
- Password Management
- Policy Administration
- Validation
- Reinstatement
- Authorization Subprocess
- SoD
- Log Management
- Privileged Access
- Dormant/ Orphan User Accounts
Key Concepts of IAM: What are the identified gaps in Identify creation and access request?
- Authorized approval not in place
- Privileged Access without analyzing the need
- Group Share Access
Key Concepts of IAM: What are the identified gaps in transfer request?
Authorized approval not in place
Key Concepts of IAM: What are the identified gaps in Access Termination Request?
User ID not revoked immediately after termination
Key Concepts of IAM: What are the identified gaps in Password Communication
Unsecured means to communicate password
Key Concepts of IAM: What are the identified gaps in Password Management
- Password parameters not followed
- Password Complexity not met
- Nonexistent password policies and standards
- Use of Shared Passwords
Key Concepts of IAM: What are the identified gaps in Policy Administration?
- Lack of documented processes, policies and procedures
- Lack of timely process review
Key Concepts of IAM: What are the identified gaps in Validation?
1.Validation process not in place or adhered to
2. Timely action not taken for accounts that are e not validated in the process
Key Concepts of IAM: What are the identified gaps in Reinstatement
- Reinstatement without valid authorization
Key Concepts of IAM: What are the identified gaps in Authorization subprocess
- Access given without authorization
Key Concepts of IAM: What are the identified gaps in SoD
- Lack of SoD
Key Concepts of IAM: What are the identified gaps in Log Management
- Lack of Logging, auditing and reviewing of events
Key Concepts of IAM: What are the identified gaps in Privileged Access
- Access provided to users without validating the needs of access
- Periodic revalidation process not in place
- No validated accounts are not terminated
Key Concepts of IAM: What are the identified gaps in Dormant use accounts
- Owners and custodians not identified for user accounts
In Key Concepts of IAM - Identify creation and access request: Who should authorize the access?
The user’s manager, resource owner or the security officer
In Key Concepts of IAM - Identify creation and access request: privileged access can be granted only after what?
two levels of approval
In Key Concepts of IAM - Identify creation and access request: privileged access can be granted after two levels of approval from?
- Reporting Manager
- Reporting Manger’s Manager/ Application or Database or Server Owner
In Key Concepts of IAM - Identify creation and access request: Group shared access must utilize what principle?
Least privilege
In Key Concepts of IAM - Identify creation and access request: Group shared access must
- ____________ on which the account can exist
- Ensure and _______ the list of users who would be sharing the account
- _________ should maintain and publish ____________ who have access to the account
- Validate the ____________ for shared accounts
- Passwords should be changed on a regular basis. The frequency should be defined in the ____________
- If it is found that someone obtains unauthorized access, the password must be __________
- Limit the servers
- Preapprove
- Account Owners; the list of users
- logging activities
- process document
- changed immediately
In Key Concepts of IAM - Access termination request: The recommendation for the gap is to terminate access in minimum and maximum days of?
Minimum: 1
Maximum: 5
In Key Concepts of IAM - Password Communication: To solve insecure means to communicate,
- Passwords can be communicated via ______ in _______
- Passwords must be stored in ______
- User email; encrypted format
- seal envelope
In Key Concepts of IAM - Password Management: To solve the gaps one shall
- The password should be a ____ of ___ characters in length
- Password should contain a mix of ____ and ____ letters, _____ and ______
- ## Passwords should not be:-
-
- - An encrypted ____ ___ should be maintained and should at minimum retain the last ___ passwords for each user ID
- Password changes should be enforced – ___ days for privileged access and __ days for regular access
- At minimum ___ consecutive unsuccessful attempts should lead to ____ suspension of the account until it is reset by the ____ _____
- A time out feature or screensaver should be enabled after __ minutes of inactivity
- Passwords must always be _____ when held in storage for any significant period of time or when transmitted over networks
- Each ___ __ should be uniquely identifiable preferable to the _____
- The last ___ __ __ __should be displayed for the user at the ___ ___ __
- At first login, a ___ ___ ___ should be enforced
- The password must be changed promptly when ___ is suspected
- Mimium; 8
- Lowercase; Uppercase; Numbers; Punctuations
- Words found in the dictionary; Personal Information; Related to the User ID, Common character sequences
- History File; 13
- 30;90
- 5; system administrator
- 15 minutes
- encrypted
- User ID; Username
- login date and time; time of login
- mandatory password change
- disclosure
In Key Concepts of IAM - Policy Administration: Document review should be done every when?
Preferably yearly
In Key Concepts of IAM - Validation: each user account should be reevaluated at a ___ ___ - preferably ___ months for normal users and ___ months for privileged user accounts
fixed-frequency; 6; 3
In Key Concepts of IAM - Reinstatement: Lack of approvals/incorrect authorization requests should not be reinstated (T or F)
False. Should be
In Key Concepts of IAM - Authorization subprocess: Requests should be checked for valid granted approvals. Lack of approvals/ incorrect authorization requests should be______ at the ___ ____ stage
blocked; access request
In Key Concepts of IAM - __________ requests passing through the 1AM process should be validated for ___ ___ checking. Requests that fail the SoD check should be blocked at the ___ ___ ___
All requests; SoD Policy; access request stage
In Key Concepts of IAM - Privilege Access: ______ ____ must be in place
revalidation of privilege accounts must be conducted on a ____ basis
At a minimum, non validated should be terminated/ locked in ___ working day or max __ days
documented processes; quarterly;1;5
In Key Concepts of IAM - Dormant accounts: All accounts without an owner or custodian need to be identified and highlighted so that they can be what?
Assigned or removed
