Key Concepts

What’s a control:
1. Controls and Risk Mitigation:

Controls are safeguards designed to protect the confidentiality, integrity, and

availability of information.

2. Definition of Controls:

Controls, according to NIST, are measures designed to protect CIA and meet
defined security requirements.

3. Control Assessment:

Periodic assessments are essential to ensure controls operate effectively.

Controls Overview
1. Access Elements:

Access is based on three elements: subjects, objects, and rules.

Subjects:
Are Initiators of access requests (users, clients, processes, etc.).

Objects:
Are the entities being accessed (devices, processes, users, etc.).

Rules:
Are Instructions allowing or denying access to objects.

Examples: include firewall access control lists.

2. Ownership and Access Rules:

Objects have owners who decide access rules, often recorded in rule bases or
access control lists.

Key Concepts 1
 Defense in Depth
1. Defense in Depth Concept:

Around 2005, defense in depth gained popularity, emphasizing layering different

controls to protect assets.

2. Layered Control Types:

Defense in depth involves three types of controls:

Administrative Controls: Direct behavior by telling people what to do

(policies, procedures, standards).

Logical (Technical) Controls: Includes antivirus, firewalls, and other

technical measures.

Physical Controls: Control access physically, such as locks, fences, etc.

3. Least Privilege Principle:

Users and processes should have the minimum level of authority (permissions)
necessary to perform their functions.

Key Concepts 2
 User Life Cycle Management
1. Provisioning:

Meaning: Creating and configuring user accounts and access rights for new
employees.

2. Identity Proofing:
Meaning: Checking someone's identity during the provisioning process.

3. User Life Cycle Phases:

Meaning: Managing users throughout their life cycle within the organization.

4. Service Accounts and Administrative Roles:

Meaning: Service accounts run without individual logins, serving specific functions
like backups.

5. Identification and Authentication:

Meaning: Identification involves knowing the subject's identity before credential

allocation, while authentication ensures the person logging in is who they claim to
be.

6. Separation of Duties:
Meaning: Segregation of duties involves assigning distinct roles (requester,
approver) to prevent fraud or misuse, often with multiple approval levels.

7. Dual Controls:
Meaning: Dual controls require two or more people to collaborate to complete
sensitive operations.

8. User Access Reviews:

Meaning: Regular reviews of user access.

9. Authorization and Auditing:

Meaning: Authorization involves ongoing decision-making by the operating system

to grant or deny access based on user roles.
Auditing includes logging and checking logs to monitor successful or unsuccessful
authorizations and user activities, with different processes for user and privileged

Key Concepts 3
 accounts based on needed assurance.

Privileged Access Management

1. Static vs. Just-in-Time PAM:

Static PAM: Traditional access control assigns privileges statically.

Just-in-Time PAM: Role-based privileges activate in real-time when a user

requests a specific resource or service.

2. Privileged Accounts:

Definition: Accounts with permissions beyond normal users.

3. Measures for Privileged Account Management:

Logging: Privileged actions require more extensive and detailed logging than
regular user accounts.

Access Control: privileged users need additional or more rigorous

authentication.

Trust Verification: Privileged account holders undergo detailed background

checks.

Auditing: Privileged account activity is monitored and audited at a greater rate

and extent than regular usage to detect and respond to potential malicious
activity.

Segregation of Duties
1. Definition: Security practice ensuring that no single individual controls an entire
high-risk transaction from initiation to completion.

2. Application:

Transaction Breakdown: SoD divides transactions into distinct parts,

mandating different individuals for each segment.

Key Concepts 4
 Example: Invoice submission for payment requires approval from a manager
before processing.

3. Fraud Prevention and Error Detection:

Purpose: Prevents fraud and detects errors

Example: Employee submitting an invoice cannot also approve it for payment.

4. Flexibility in Authorization:

Customization: Permits assigning different authorization roles to an individual

based on specific activities.

5. Risk of Collusion:

Concern: Collaboration between two individuals to bypass segregation and

jointly commit fraud.

6. Dual Control Implementation:

Concept: Dual control involves splitting authorization responsibilities, requiring
collaboration for specific actions.

Example: Bank vault with two combination locks, each known by different
personnel, necessitating collaboration to access the vault.

7. Two-Person Integrity:

Strategy: Two-person integrity mandates a minimum of two individuals to

be present in an area simultaneously.

Access Control: Access systems may enforce the two-person rule for
entering high-security areas, minimizing insider threats.

Life Safety: Enhances safety within a security area; presence of two

individuals ensures immediate assistance in case of emergencies.

##FOR INFORMATION##

How Users Are Provisioned

1. New Employee Onboarding:

Scenario: A new employee is hired.

Key Concepts 5
 Request Process: Hiring manager sends a request to the security
administrator.

Authorization: The request authorizes the creation of a new user ID with

specified access levels.

Policy Note: Additional authorization may be needed for elevated

permissions per company policy.

2. Change of Position:

Scenario: An employee is promoted.

Changes Required: Permissions and access rights change based on the

new role.

Updates: Any additional privileges are added, and unnecessary access is

removed.

3. Separation of Employment:

Scenario: An employee leaves the company.

Actions Needed: Disable the account after the termination date.

Recommendation: Disable accounts before deletion to preserve audit trails.

Security Measures: Remove the account from security roles and access
profiles.

Purpose: Prevent unauthorized access post-employment for both company

protection and employee privacy.

Note:

Best Practice: Avoid copying user profiles for new users to prevent "permission
or privilege creep."

Example: If an employee gains additional access for a specific task, and this
access isn't removed after task completion, copying the profile for a new user
may result in unnecessary permissions.

Recommendation: Establish standard roles and create new users based on

these standards rather than duplicating existing user profiles. This ensures
appropriate access without unnecessary privileges.

Key Concepts 6
 ##END##

Key Concepts 7
 Administrative Controls
Direct behavior by telling people what to do
Types of Administrative Controls:

1. Policies:
Definition: High-level statements outlining actions, often signed off by senior
managers.

Purpose: Communicate what and, ideally, why certain actions are taken to
promote compliance.

2. Procedures/Processes:

Characteristics: Specific, step-by-step instructions created at the business unit

level.

3. Acceptable Use Policy:

Definition: Policy specifying acceptable and unacceptable use of computer-

based resources.

User Agreement: Unlike most policies, end users sign an agreement to adhere
to the policy.

4. Nondisclosure Agreement:

Purpose: Employee promise not to disclose information about their current

employer after employment.

Protection: Aims to safeguard trade secrets and sensitive information.

5. Employment Contract and Job Description:

Function: Formalize employment arrangements and provide clarity on job roles

and expectations.

6. Standards:

Nature: Prescribed actions or measures that must be followed.

Examples: Encryption standards imposed by regulations or internally

generated standards.

Administrative Controls 1
 7. Guidelines:

Nature: Recommendations that are considered advisable but not mandatory.

Usage: Should be followed but lack the mandatory nature of standards.

Administrative Controls 2
 Physical Controls
Key Concepts
1. Interdependence of Control Types:

There is a need for a balance between administrative, physical, and logical controls
in security management.

2. Crime Prevention Through Environmental Design (CPTED):

Definition: CPTED involves designing environments with the aim of managing risk
and preventing crime.

Examples of CPTED Measures:

Open Green Spaces: Used to enhance visibility and deter potential criminals.

Undulating Terrain: Designed to impede speeding vehicles and enhance

security.

3. Considerations for Biometrics:

Throughput (Speed): Examines how quickly biometric systems can process

information, emphasizing the need for efficiency.

Accuracy: Involves balancing false acceptance (wrongly granting access) and false
rejection (denying access to authorized users) rates.

Invasiveness: Considers the level of intrusiveness associated with biometric

methods, with some being more invasive than others.

Universality: Focuses on the suitability of biometric systems for diverse

populations, recognizing that not all approaches are universally applicable.

What Are Physical Security Controls?

Definition: Physical security controls are tangible and touchable items implemented
to prevent.

Examples of Physical Access Controls:

Physical Controls 1
 Security Guards: Human personnel trained to monitor and secure a facility.

Fences: Physical barriers designed to control and limit access.

Motion Detectors: Devices that sense movement and trigger alarms or other
responses.

Locked Doors/Gates: Restrict access to authorized individuals.

Sealed Windows: Windows designed or treated to prevent unauthorized entry.

Prioritization: When implementing physical access controls, the security of

personnel takes precedence, emphasizing the protection of people as the highest
priority, followed by securing other physical assets.

Types of Physical Access Controls

1. Badge Systems and Gate Entry:

Technologies like turnstiles, mantraps, and remotely controlled door locks are
employed for human traffic control.

The access control system compares an individual's badge against a verified

database, allowing authorized personnel to access controlled areas.

2. Environmental Design (CPTED):

Utilizes organizational, mechanical, and natural design methods to deter crime.

Directs the flow of people, signals access permissions, and provides visibility to
reduce the likelihood of criminal activities.

3. Biometrics:
Biometrics authenticates a user's identity based on unique characteristics.

Enrollment Process: User's biometric code is stored in a system or on a smart

card during enrollment.

Verification Process: User presents biometric data for comparison with the
stored code.

Physiological Biometrics: Measures physical characteristics like fingerprints,

iris scans, retinal scans, palm scans, and venous scans.

Physical Controls 2
 Behavioral Biometrics: Measures behavioral traits such as voiceprints,
signature dynamics, and keystroke dynamics.

Biometric systems are highly accurate but can be expensive and may raise
privacy concerns among users.

Security
1. Physical Security and Deterrence:

Physical security, including the presence of security guards, acts as a deterrent,

helps detect problems, and prevents and corrects security issues.

2. CCTV Systems:

Two types: analog (traditional and expensive) and digital (IP-based, lower
cost, and requires less cabling).

3. Retention and Media Type for CCTV:

Retention period and media type should be strategic decisions based on needs.

Considerations include where footage is stored, backup procedures, and

protection of stored information.

4. Alarm Systems:

Common sensors include RP (Passive Infrared) for detecting movement and

balanced magnetic switches on doors/windows.

Auditory sensors, such as glass break sensors, listen for specific sounds.

5. Logging and Log Review:

Decision-making on what is logged and how long logs are retained is crucial.

Secure storage of logs is important, and logs become meaningful when

regularly reviewed.

Logs provide valuable information for forensic investigations.

Physical Controls 3
 Monitoring
1. Physical Access Controls and Monitoring:

Essential elements in maintaining organizational security.

Involves monitoring personnel and equipment entering and leaving, along with
auditing/logging all physical events.

2. Monitoring Examples:

Cameras:

Integrated into overall security programs and centrally monitored.

Logs:

Record events and are crucial for supporting business requirements.

Should capture and retain information as necessary for legal or business

reasons.

Security Guards:

Effective physical security control, discouraging unauthorized access and

preventing theft or abuse.

Alarm Systems:

Commonly found on doors and windows, alerting personnel when opened

unexpectedly.

3. Log Retention Policy:

Organizations should establish guidelines for log retention as part of their log
processes.

4. Legal Department Guidance:

Legal departments often provide specific guidelines for data retention.

Physical Controls 4
 Logical Controls
1. Logical or Technical Controls:

Run on computers and can be hardware, software, or cloud-based.

Examples include discretionary access control (DAC), mandatory access

control (MAC), and role-based access control (RBAC).

2. Discretionary Access Control (DAC):

Asset owner directly controls access.

Often seen in shared drives where the document creator manages permissions.

Fast, cheap, and low-cost administration, but can be inconsistent and prone to
misuse.

3. Mandatory Access Control (MAC):

Asset owner determines access but relies on a central function for

implementation.

Common in high-security environments like military settings.

Adds cost and latency but ensures more consistent outcomes.

4. Role-Based Access Control (RBAC):

Access is determined by the role an individual holds.

Useful in environments with multiple individuals in the same role.

May simplify security templates but often results in more roles and exceptions in
practice.

5. Blended Approach:

Organizations commonly use a mix of discretionary access control, role-based

access control, and additional rules.

Exceptions and specific use cases often lead to a more flexible approach.

6. Access Control List (ACL):

A simple form of control, often a text file with allow or deny statements.

Logical Controls 1
 Contains logical conditions specifying what is allowed or denied.

Typically has an implicit deny, meaning nothing is allowed by default unless

specified.

Can be an allow list (specifying what is allowed) or a deny list (specifying what
is blocked).

7. Monitoring Logical Controls:

Logical controls require monitoring to ensure intended benefits and to

understand the environment.

Checking logs is not enough; monitoring and auditing logs are crucial for
effective security.

What are Logical Access Controls?

1. Definition:

Logical access controls are electronic methods that restrict access to

systems and, in some cases, tangible assets or areas.

2. Comparison with Physical Access Controls:

While physical access controls are tangible mechanisms limiting access to

a physical space, logical access controls focus on electronic means.

3. Types of Logical Access Controls:

Passwords: Authentication method based on secret codes known only to

the authorized user.

Biometrics: Biometric authentication implemented on electronic systems,

such as smartphones or laptops, using unique physical characteristics like
fingerprints or facial features.

Badge/Token Readers: Electronic devices connected to a system that

read badges or tokens to grant or deny logical access.

4. Purpose:

Logical Controls 2
 Logical access controls determine who can gain access to a system, even if
the individual already has physical access.

Discretionary Access Control (DAC)

1. Definition:

DAC is a specific type of access control policy enforced over subjects

and objects in an information system.

2. DAC Policy Permissions:

Subjects with access can:

Pass information to other subjects or objects.

Grant privileges to other subjects.

Change security attributes on subjects, objects, or systems.

3. Widespread Use:

Most information systems globally operate under DAC policies.

4. Rule-Based Access Control:

Rule-based access control systems are often a form of DAC.

5. Example Scenario:

In a UNIX environment with DAC, users like Steve and Aidan can
establish or modify permissions for files they own.

Access control lists (ACLs) or capabilities lists maintain permissions,

mapping subjects to objects.

6. Data Structure:

Systems use a table mapping subjects to objects, indicating the

permissions each subject has for a specific object.

Access control lists show subjects with any permissions for an object.

Capabilities lists show each object a subject has permissions for.

Logical Controls 3
 7. Scalability Challenges:

DAC relies on the discretion of individual object owners, which may limit
scalability.

Identifying and resolving access control issues can be challenging in

DAC systems.

Mandatory Access Control (MAC)

1. Uniform Enforcement:

MAC is uniformly enforced across all subjects and objects within an

information system.

2. Administrator Control:

Only trusted security administrators can modify security rules for

subjects and objects in the system.

3. Assigned Privileges:

For all defined subjects, the organization assigns a subset of privileges

for a subset of objects.

Subjects are constrained from unauthorized actions, such as passing

information, granting privileges, changing security attributes, etc.

4. Restrictions on Subjects:

Subjects cannot:

Logical Controls 4
 Pass information to unauthorized entities.

Grant their privileges to others.

Change security attributes on subjects, objects, or the system.

Choose security attributes for new or modified objects.

Change rules governing access control.

5. Comparison with DAC:

Unlike Discretionary Access Control (DAC), where object owners have

discretion, MAC mandates that security administrators control access.

6. Security Administrator Role:

Security administrators play a crucial role in defining and managing

access rights, ensuring a high level of control.

7. Access Control Differences:

While MAC and DAC may sound similar, the fundamental difference lies
in who has the authority to control access rights.

Role-Based Access Control (RBAC)

1. Role Creation:

Roles are created to represent specific job functions within an organization.

2. Access Assignment:

Each role is assigned the necessary access permissions and rights

required for the personnel working in that role.

3. User Role Assignment:

When a user takes on a job, the administrator assigns them to the

appropriate role.

4. Access Adjustment:

If a user leaves a particular role, the administrator removes that user from
the corresponding role.

Logical Controls 5
 5. Access Removal:

When a user is removed from a role, access associated with that role is
also removed.

6. Effective Access Management:

RBAC simplifies access management by associating permissions with roles

rather than individual users.

7. Adaptability to Staff Changes:

RBAC is well-suited for environments with high staff turnover, as role

assignments can be easily adjusted.

8. Multiple Personnel with Similar Access:

Ideal for situations where multiple personnel have similar access

requirements based on their roles.

Logical Controls 6
 Controls Review
Terms and Definitions
Audit - Independent review and examination of records and activities to assess the
adequacy of system controls, to ensure compliance with established policies and
operational procedures. NIST SP 1800-15B

Crime Prevention through Environmental Design (CPTED) - An architectural

approach to the design of buildings and spaces which emphasizes passive features
to reduce the likelihood of criminal activity.

Defense in Depth - Information security strategy integrating people, technology,

and operations capabilities to establish variable barriers across multiple layers and
missions of the organization. Source: NIST SP 800-53 Rev 4

Discretionary Access Control (DAC) - A certain amount of access control is left to

the discretion of the object’s owner, or anyone else who is authorized to control the
object’s access. The owner can determine who should have access rights to an
object and what those rights should be. NIST SP 800-192

Encrypt - To protect private information by putting it into a form that can only be
read by people who have permission to do so.

Firewalls - Devices that enforce administrative security policies by filtering incoming

traffic based on a set of rules.

Insider Threat - An entity with authorized access that has the potential to harm an
information system through destruction, disclosure, modification of data, and/or
denial of service. NIST SP 800-32

iOS - An operating system manufactured by Apple Inc. Used for mobile devices.

Layered Defense The use of multiple controls arranged in series to provide several
consecutive controls to protect an asset; also called defense in depth.

Linux - An operating system that is open source, making its source code legally
available to end users.

Controls Review 1
 Log Anomaly - A system irregularity that is identified when studying log entries
which could represent events of interest for further surveillance.

Logging - Collecting and storing user activities in a log, which is a record of the
events occurring within an organization’s systems and networks. NIST SP 1800-
25B.

Logical Access Control Systems - An automated system that controls an

individual’s ability to access one or more computer system resources, such as a
workstation, network, application or database. A logical access control system
requires the validation of an individual’s identity through some mechanism, such as
a PIN, card, biometric or other token. It has the capability to assign different access
privileges to different individuals depending on their roles and responsibilities in an
organization. NIST SP 800-53 Rev.5.

Mandatory Access Control - Access control that requires the system itself to
manage access controls in accordance with the organization’s security policies.

Mantrap - An entrance to a building or an area that requires people to pass through

two doors with only one door opened at a time.

Object - Passive information system-related entity (e.g., devices, files, records,

tables, processes, programs, domains) containing or receiving information. Access
to an object (by a subject) implies access to the information it contains. See subject.
Source: NIST SP 800-53 Rev 4

Physical Access Controls - Controls implemented through a tangible mechanism.

Examples include walls, fences, guards, locks, etc. In modern organizations, many
physical control systems are linked to technical/logical systems, such as badge
readers connected to door locks.

Principle of Least Privilege - The principle that users and programs should have
only the minimum privileges necessary to complete their tasks. NIST SP 800-179

Privileged Account - An information system account with approved authorizations

of a privileged user. NIST SP 800-53 Rev. 4

Ransomware - A type of malicious software that locks the computer screen or files,
thus preventing or limiting a user from accessing their system and data until money
is paid.

Controls Review 2
 Role-based access control (RBAC) - An access control system that sets up user
permissions based on roles.

Rule - An instruction developed to allow or deny access to a system by comparing

the validated identity of the subject to an access control list.

Segregation of Duties - The practice of ensuring that an organizational process

cannot be completed by a single person; forces collusion as a means to reduce
insider threats. Also commonly known as Separation of Duties.

Subject - Generally an individual, process or device causing information to flow

among objects or change to the system state. Source: NIST SP800-53 R4

Technical Controls - The security controls (i.e., safeguards or countermeasures)

for an information system that are primarily implemented and executed by the
information system through mechanisms contained in the hardware, software or
firmware components of the system.

Turnstile - A one-way spinning door or barrier that allows only one person at a time
to enter a building or pass through an area.

Unix - An operating system used in software development.

User Provisioning - The process of creating, maintaining and deactivating user

identities on a system.

Controls Review 3