Risk Management: Use of Access Controls to Protect Assets

ISC2 via Coursera

Go to Course: https://www.coursera.org/learn/sscp-4th-ed-course-2

Introduction

### Course Review: Risk Management: Use of Access Controls to Protect Assets on Coursera **Overview** "Risk Management: Use of Access Controls to Protect Assets" is the second course in a series aimed at enhancing our understanding of risk management frameworks and implementing effective access controls designed to safeguard organizational assets. With the escalating cyber threats observed during and after the recent global pandemic, the necessity of a robust security culture within organizations has never been more pressing. This course methodically guides learners through the fundamental steps of establishing a security framework, effectively managing risks, and enforcing access control measures to mitigate vulnerabilities. **Detailed Course Breakdown** The course comprises five comprehensive modules that delve into various aspects of security controls, access management, and identity management, structured as follows: 1. **Document, Implement, and Maintain Functional Security Controls**: The initial module underscores the importance of aligning security initiatives with organizational goals. It emphasizes that security is not a standalone entity; rather, it is a critical enabler of business operations. Learners gain insight into justifying security investments by demonstrating their direct impact on organizational resilience and efficiency. This module bridges the gap between security policies and real-world business applications, ensuring that aspiring security professionals understand the strategic value of their roles. 2. **Access Control Models**: This module serves as the crux of information security, focusing on the pivotal question of access rights. It explores both the restriction and granting of access to organizational assets, stressing the need for a balanced approach. By learning about various access control models, students grasp the nuances of granting the appropriate level of access to authorized users while ensuring that unauthorized entities are effectively blocked. 3. **Identity Management Lifecycle**: The identity management segment introduces the IAAA model (Identification, Authentication, Authorization, and Accounting), elucidating the broad spectrum of identity management. This module delves into the lifecycle of identities—how they are created, maintained, and removed—and highlights the importance of real-time access management. This aspect is particularly vital for modern enterprises, where both human and non-human entities require secure access to resources. 4. **Implement and Maintain Authentication Methods**: The challenges of access management are tackled in this module, which sheds light on the implications of flawed identity management processes. It provides practical strategies for organizations to automate and streamline their identity and access management (IAM) systems, addressing the critical need for compliance in the face of privacy regulations. The emphasis on automation helps reduce administrative burdens while improving accountability within access permissions—an increasingly vital component for organizational credibility. 5. **Chapter 2 Review**: The concluding module synthesizes the knowledge gained, reiterating the crucial role of access control in the broader context of information system security. It examines the ongoing battle between defenders and attackers, reinforcing the notion that a well-structured access control strategy is fundamental to maintaining security integrity. **Recommendation** "Risk Management: Use of Access Controls to Protect Assets" is an essential course for anyone aspiring to develop a comprehensive understanding of security measures in today's digital landscape. Whether you are a security professional, an IT manager, or someone keen on entering the cybersecurity field, this course provides invaluable insights that are applicable across various sectors. With a blend of theoretical knowledge and practical applications, this course not only equips learners with the necessary skills to implement effective risk management strategies but also fosters a deeper understanding of how security fits within the broader organizational context. Given the increasing complexity of cybersecurity threats, I highly recommend enrolling in this course to enhance your skillset and ensure that you’re well-prepared to contribute to the security and longevity of your organization. Take control of your learning journey and invest in your future security expertise!

Syllabus

Module 1: Document, Implement, and Maintain Functional Security Controls

In this module we are going to start looking at the pieces that make up a security program. Now that we have examined the process of risk management, we have the information needed to justify the controls and other actions taken to secure and protect the assets of the organization. The core principle of information security must be remembered, which is that security exists solely for the purpose of supporting and enabling the business mission. Our goal as security professionals is not just to be secure but rather to secure the business. Our organizations do not hire us because they are really interested in security; they hire us because management realizes that security is necessary in order for the business to survive.   Senior managers and leaders within the organization focus on achieving efficient use of every resource they have available to them, so that they can maximize the organization’s effectiveness within the marketplaces it serves. Whether it is a for-profit business, a nonprofit organization, or a government agency, the organization (in the words of the motto of the UK’s Royal Air Force Police) has to survive to operate. It has to control the losses due to inefficient business processes, bad weather or criminal attacks.  Simply put, information security that minimizes losses and protects high-value assets, processes, goals, and objectives pays for itself, and thus commands support and resources from senior management. Security efforts that do not directly support defending those priorities won’t.  The explosive growth in cyber fraud activities during the pandemic of 2020-2021 and the increase in ransomware and other attacks alike demonstrates how the attackers are learning faster than the defenders. Let’s turn that around, starting with how we think about turning security needs and requirements into effective control strategies. 

Module 2: Access Controls Models

It could be argued that access controls are the heart of an information security program. Earlier in this course we have looked at the foundation of security through risk management and policy, and the leadership of information security through management involvement and strategic planning, but in the end, security all comes down to “who can get access to our assets (buildings, data, systems, etc.) and what can they do when they get access?”  Access controls are not just about restricting access, but also about allowing access. It is about granting the correct level of access to authorized personnel and processes but denying access to unauthorized functions or individuals. 

Module 3: Identity Management Lifecycle

This part of the course examines the process of identity management. Identity management (IM) is often described using the IAAA model (sometimes called the AAA model). This represents the steps of identification, authentication, authorization, and accounting (sometimes incorrectly called audit; we’ll see why as we go along). Identity management includes establishing, maintaining, and removing identities on our systems. Access control focuses on the real-time tasks necessary to validate that an attempt to access a resource is being done by a recognized, accepted entity using an identity known to the system, and that the attempt is seeking to use privileges that are appropriate and valid for that entity, that resource, and current circumstances.  Prior to the widespread use of web pages that allow site visitors to create an account (an identity) on that host system, most security professionals and organizational managers thought of IM and AAA as happening on two very different time scales, or as driven by two very different types of events:  IM activities were viewed as being driven by large-scale events, such as joining the organization, going through a major change in roles or job responsibilities, and then leaving the organization.   AAA activities then occur on a real-time basis with every connection (sign-on) attempt and every access request to resources made by any one of the accounts and user IDs created for that person.  As the concept of identity management has had to expand to include nonhuman users and entities, this view of IM and AAA time horizons has changed in related ways. A company hires human users and acquires endpoints or server devices. It signs partnership agreements with other organizations to set up federated access control mechanisms so that both can share information assets in controlled, secure ways. Each of these are IM activities that happen once (or a few times) in the lifecycle of that entity’s relationship with the organization.  And just as a human user might go through a thousand resource access attempts during a single workday (or even in a short session), so too might a nonhuman entity performing its assigned or allowed tasks. 

Module 4: Implement and Maintain Authentication Methods

 The implementation of access management contains its own challenges. Audits in many organizations often reveal that the identity management processes used are flawed, resulting in many users who have access permissions that they have accumulated over the years that are not aligned with their current business needs. This is a problem where privacy regulations require accountability and tracking of access permissions, and it can lead to financial penalties, security breaches, and embarrassment for the organization. The idea of an identity and access management (IAM) system is to automate the process and reduce the administrative overhead, while improving reporting and the ability to monitor the access levels granted to users. Some of the features of IAM systems include an automated process for users to request and be granted access to systems, a streamlined process for new users and for password resets. 

Module 5: Chapter 2 Review

It’s not an exaggeration to say that access control is the heart of the information systems security problem. Everything we do as security professionals drives down to this problem set; risk management sets requirements for access control to achieve, and the design, configuration, and operation of the information infrastructures the organization uses must reflect the access control decisions that have been made.  Access control technologies may very well represent the most hotly contested “real estate” in the battle between cyber defenders and cyberattackers.  This chapter has provided you with a rich, detailed, and in-depth orientation and introduction to many aspects of the access control need and problem, while it has also shown you ways to solve that problem and address that need.