Access controls can be applied in various forms, levels of restriction, and at different places within a computing system. A combination of access controls can provide a system with layered defense-in-depth protection. Instructions:
For the scenarios that follow, identify the data that would need to be protected. Recommend how you would implement one of the access controls (listed after the scenarios) for the given scenario and justify your recommendation.
Scenarios:
1. Shovels and Shingles is a small construction company consisting of 1 multi-purpose server and 25 networked workstations. All employees have Internet access and use email. A few employees use tablet PCs in the field.
2. Backordered Parts is a mid-size defense contractor that builds communications parts for the military. The company has 15 servers and 250 workstations. All employees must have security clearances, and they communicate mainly using BlackBerry devices and email.
3. NetSecIT is a multinational IT services company consisting of 120,000 computers that have Internet access and 45,000 servers. All employees communicate using smartphones, tablet PCs, laptops, and email. Many employees work from home and travel extensively.
4. Access Controls
5. Administrative controls: Policies approved by management and passed down to staff, such as policies on password length.
6. Logical/technical controls: Control access to a computer system or network, such as a username and password combination
7. Hardware controls: Equipment that checks and validates IDs, such as a smart card for or security token for multifactor authentication.
8. Software controls: Controls embedded in operating system and application software, such as NTFS permissions.
9. Physical controls: Control entry into buildings, parking lots, and protected areas, such as a lock on an office door.