Identify appropriate controls

Overview

Image: Overview icon

You should already know about identifying threats to a system and determining risk category. This resource will help you to identify and implement appropriate controls to assist with managing system security.

In this topic you will learn how to:

  • identify and put in place effective controls to manage risk
  • design policies and procedures to cover people interactions with the system
  • conduct user training in system-related policies and procedures
  • monitor high risk categories at specified periods
  • identify and record system breakdowns.

This topic contains:

  • reading notes
  • activities
  • references
  • topic quiz.

As you work through the reading notes you will be directed to activities that will help you to practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding.

Download a print version of this whole topic: Identify appropriate controls (272 KB 2808.doc)

For an-depth look at training methods, download the following additional reading document: Provide instruction (152 KB 2808_reading_02.doc)

Reading notes

Image: Reading notes icon

Identify and implement effective controls to manage risk

In this section we will identify and implement security controls to manage risk.

Access control definitions

To start with we will define a few terms.

  • Access control is the practice of restricting entrance to a system such as a network, database, server, workstation, and so on. Access control can also apply to physical security, such as limiting access to a server room.
  • Access Control List (ACL) in computer security is a concept used to enforce system access and privileges. The list is a data structure - usually a table - containing entries that specify individual user or group rights to specific system objects such as a program, a process, or a file. In networking, ACL's are text-based files configured on routers and servers that can be used to identify who has permission to do what. For example, Cisco router IOS (Internetworking Operating System) has ACL provisions to control data traffic using IP addresses and TCP/IP port numbers, (also called layer-3 switching). Network Access Control Lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

You may remember some of the following definitions from previous topics:

  • A threat represents an event that can cause potential harm to a system.
  • Vulnerability represents a weakness in the system that can be exploited by a threat.
  • A risk is the probability that a threat may occur and harm the system.
  • A subject is an active entity such as a person or a process.
  • An object is a passive entity such as a file.

Designing ACLs

How areAccess Control Lists (ACL) created and implemented? In a generic sense, access controls can be applied to various means of identification. A spam filter is a means of access control. So are access controls which are placed to prevent children from viewing adult content on the Internet.

In LAN/WAN environments, access controls may be applied using identifying factors such as IP addresses, MAC addresses, VLAN IDs, etc.

As an example, let’s see how Cisco applies Access Control Lists (ACLs) based on IP addresses in their routers and multilayer switches.

We will assume the following requirements:

  • permit all IP traffic from hosts on subnets 10.0.0.0/16 through to 10.7.0.0/16 inbound on Gigabit port 0/0/1
  • permit IP traffic from hosts on subnets 10.9.0.0/16 through 10.15.0.0/16 inbound on Gigabit port 0/0/1
  • deny all other IP traffic inbound on Gigabit port 0/0/1.

Here is one possible way to accomplish this:

  • access-list 49 deny 10.8.0.0 0.0.255.255
  • Explanation: Access-list 49 indicates that we are using a Standard ACL (numbers range 1 to 99) that is usually applied at the destination of the IP traffic. 10.8.0.0 refers to a subnet of Class-A IP address using 255.255.0.0 as the subnet mask (note that a CIDR (Classless InterDomain Routing) of /16 was given earlier). 0.0.255.255 indicates a wildcard mask that targets all IP addresses in the subnetted space indicated by 255.255.0.0. Using 10.8.0.0 targets the specific subnet 10.8.0.0/16. Using deny prevents all IP traffic.
  • access-list 49 permit 10.0.0. 0.15.255.255
  • interface ga0/0/1
  • ip access-group 49 in.

Take a look at the following links for more information about the use of Access Control Lists (ACLs):

  • Routergod:
  • TechRepublic:
  • Cisco:

Access control models

The ACLs we are referring to in this section are similar in function but apply at a layer that is higher than the 7-layer ISO/OSI Reference Model. For more OSI model information, see the Wikipedia entry for "OSI model" at or take a look at OSI model on Routergod at

We are looking at the user-layer - "Layer 8" - if we may call it that. Did you guess this already?

There are three categories for access control models:

  • Discretionary
  • Mandatory
  • Non-discretionary
Discretionary model

Discretionary access control is where subjects grant - or are granted - access to objects. It is called discretionary because rights are granted at the discretion of (typically) the system administrator.

A table is typically used to define the Access Control List (ACL). Here is an example:

Table 1: Example of an Access Control List table

Subject / Object 1
file: wages / Object 2
file: overtime
program: salary / read/write / execute
user: tom.smith / none / none
user: mary.lee / read/write / none
user: phil.jones / read / execute
process: average / read/write / none

Three types of subjects are identified in the table: program, users and process.

The program - called "salary" - can read and write to the object called "wages" (that is, the "wages" file). The program "salary" can also execute the "overtime" object to calculate overtime pay for the staff.

There are three users, all with varying access controls.

  • User tom.smith cannot read/write to the "wages" object and cannot execute the "overtime" object either.
  • User mary.lee can read/write to the "wages" object but cannot execute the "overtime" object.
  • User phil.jones can read the "wages" object but cannot write to the "wages" object. However, he is able to execute the "overtime" object.

The process called "average" can read/write to the "wages" object to compute the average wages of the staff but cannot execute the "overtime" object.

Two types of discretionary access control are

  • user-directed access control- where a user has the authority to alter access privileges to certain objects.
  • identity-based access control - where access is based on the individual’s identity.
Mandatory access control

With mandatory access control, access is granted to subjects (or users) based on the sensitivity of the objects (files, databases, etc). Labels such as clearance and classification are used to compare the subject’s clearance to the classification of the object.

Example

Objects (including files, folders, databases etc.) may be classified as

  • unclassified
  • confidential
  • secret or
  • top secret.

If the subject (or user) has a security clearance at the "confidential" level, this subject cannot view objects that are "secret" and "top secret". The subject can, however, view objects that are "unclassified" and "confidential".

Non-discretionary access control

Non-discretionary access controlis usually centrally administered, with authorisation decisions based on the roles that individuals have within an organisation. A system's security administrator grants and/or revokes system privileges based on a user's position. The non-discretionary access controlmethod is preferred if there are frequent personnel changes in an organisation.

There are two types of non-discretionary access control:

  • Role-based access control depends on the subject’s role in the organisation, and access is controlled by their inclusion (or exclusion) from particular user groups. As an example, a user account "john.smith" is added to a user group "sales_staff". All members of the group "sales_staff" have identical access privileges.
  • Task-based access control depends on the subject’s responsibilities in the organisation. Instead of user names such as "mary.taylor", a task-based user name such as "sales.manager" may be used. When a new person becomes the Sales Manager, the user account remains the same.

Types of access control implementations

Three types of controls and three kinds of mechanisms can be implemented to administer secure system access.

Table 2: Access control implementation types

Controls / Mechanisms
Preventative / Administrative
Detective / Technical (logical)
Corrective / Physical

To determine the relationships and possible combinations between each of these elements, the following diagram provides a key to further discussion:

Illustration providing key to following discussion of access control combinations: Shows Controls on the X axis and Mechanisms on the Y axis - gives numbers to each combination.

Figure 1: Key to combinations of Access Control Implementations

As you can see, each of the three types of controls (Preventative, Detective and Corrective) can be combined with each of the three types of mechanisms (Administrative, Technical and Physical). The numbers refer to the headings below.

Here are some examples of combinations of controls/mechanisms that can be used to implement access control:

1. Preventative/administrative

These controls focus on monitoring and training users, including

  • organisational policies and procedures
  • employee background checks
  • employee termination procedures
  • employment agreements
  • security awareness training
  • labelling of sensitive materials
  • vacation scheduling.

2. Preventative/technical

These controls are typically applied to operating systems, software applications or system component hardware and software, such as

  • protocols
  • biometrics identification
  • data encryption
  • passwords
  • smartcards.

3. Preventative/physical

These control physical access to sensitive security perimeters. Examples are

  • guards
  • badges
  • man-traps (may trap an intruder between two physically separated doors).

4. Detective/administrative

  • Sharing responsibilities
  • Reviewing audit records
  • Behaviour awareness.

5 Detective/technical:

  • Identify intrusions using Intrusion Detection Systems (IDS)
  • Violation reports where sensitive files may have been modified without authorisation.

6. Detective/physical:

  • Video cameras
  • Motion detectors
  • Thermal detectors.

7. Corrective/administrative:

This refers to administrative actions taken to recover from an attack. Examples are

  • update security policies and procedures
  • may terminate access of those responsible for the intrusion.

8. Corrective/technical

This refers to technical controls that are implemented to increase security control levels.

  • MAC (Media Access Control) address-based VLANs (Virtual Local Area Networks) may be implemented to prevent unauthorised wireless-based system access.

9. Corrective/physical

The physical premises may be secured to provide a higher degree of surveillance.

Centralised/decentralised access controls

Access control administration can also be either centralised or decentralised.

Centralised Access Control occurs where system resources are centrally managed, typically by one office or system administrator. One advantage is that centralisation provides tight controls for consistent implementation of access control policy across a whole organisation/system.

One example is RADIUS (Remote Authentication and Dial-In User Service). RADIUS uses an authentication server and dynamic passwords. The RADIUS protocol is an open, UDP-based protocol that can be adapted to work with various security systems.

RADIUS provides AAA (Authentication, Authorisation, and Accounting) services to routers, modem servers, and wireless applications. Three main components follow:

1NAS (Network Access Server) uses protocols such as PPP (Point-to-Point Protocol) or SLIP (Serial Line Internet Protocol) to process connection requests.

2Access client is a person or a device (such as a router) that is requesting for connection.

3The RADIUS Server compares data stored in a trusted database to the NAS information to authenticate and authorise the connection.

Another example is TACACS+ (Terminal Access Controller Access Control System Plus), which is similar to RADIUS. TACACS+ plus also provides AAA services. It supports dynamic passwords, authentication, and audit functions. Three main components of TACACS+ are

  • NAS
  • Access Client
  • TACACS+ Server
  • decentralised access control.

Decentralised access controls are maintained by the owners/creators of files. Security domains are typically created so that member-users can operate under the same management and follow common security policies. While decentralisation provides greater flexibility for individual administrators, the loss of standardisation may cause duplication of effort across departments.

Two examples include the creation of a security domain (as mentioned above) and Trust. Trust is where no access restrictions are placed on users. All actions and accesses are permitted to all users.

Activity 1

To practise implementing controls to manage risk, complete Activity 1—Implement controls to manage risk, located in the Activities section of the Topic menu.

Design policies and procedures for human interactions with the system

In this section, we will develop policies and procedures for users.

In a typical network, users access system resources via their workstations or laptops. In most organisations, user workstations are pre-configured by the IT support personnel. As such, we will NOT focus on the following obvious issues:

  • using an Internet firewall
  • getting computer updates
  • using up-to-date antivirus software.

It will be assumed that such controls have already been implemented by the IT support staff. Therefore, we will focus on what a user can and cannot do when interacting with the system.

Users typically interact with the system to provide services to their organisations. New documents may be developed that are later printed for distribution. While it may be common knowledge that job-hunting users are not allowed to update their resumes and print them out on their organisation’s printers, users may need to be informed of this policy.

Another example might be that personal and defamatory opinions of fellow staff members may not be emailed within the organisation. Distasteful jokes and cartoons may not be printed and posted on bulletin boards. Log-on passwords may not be written on paper and stuck on monitors.

These are some examples of how users may interact with the system in ways that can violate the organisation’s policies. Such polices must be identified and properly documented so that they can be enforced throughout the organisation when users interact with the system.

Two sample policies are included here as a guide - click on the links below to download these word documents.

  • E-Policy: Security Policies and Procedures (39 KB 2808_sec_policy.doc)
  • Email Policy (36 KB 2808_email_policy.doc).

You will develop your own later in the Activities Section.

Activity 2

To practise designing policies and procedures for users, complete Activity 2—Design policies and procedures for users, located in the Activities section of the Topic menu.

Conduct training to use system-related policies and procedures

In this section, you will see how users can be trained to use system-related policies and procedures. There are many training methods. We will discuss some aimed at enhancing security at the workplace.

As with all security-related training, remember that employees are part of the security solution and not part of the security problem.

Senior managers must ensure that employees in their organisation are made aware of their responsibilities to protect their system from security compromise. As such, employees should be made aware of the need to be diligent in their work habits and apply good system security practices.

Security awareness

Security awareness refers to the collective consciousness by an organisation’s employees to adhere to security policies and procedures. Employees must apply good work habits to protect their organisation’s critical and sensitive information.

This can help to detect fraud, reduce unauthorised system-related activities, and prevent security compromises in general. Employees must be informed that there are consequences for violating their organisation’s security policies and procedures.

Employees found violating the security policies and procedures may

  • be issued a warning
  • be reprimanded
  • be terminated in extreme cases.

Training methods

For an-depth look at training methods, download the following additional reading document: Provideinstruction (152 KB 2808_reading_02.doc)

Reinforcing training

Employee awareness and training may be reinforced through the use of some of the following methods:

  • lectures - group training sessions to ensure standards are set across the organisation
  • meetings - responsibility for security is emphasised with the employee's working group
  • videos- professionally developed materials convey a consistent message that can be delivered anywhere, anytime
  • newsletters - social awareness and announcements of employee awards
  • emails and bulletins- providing up-to-date security information
  • incentives and recognition - rewards programs to encourage pro-active employee involvement
  • log-on banners -daily workplace security reminders

Training may go beyond security awareness; it may be conducted for employees who are responsible for performing additional security-related duties. These duties may include the following:

  • identify security breaches.
  • report security breaches.
  • when security has been breached:
  • ensure availability of the system.
  • manage integrity of the system.
  • maintain confidentiality of the system.

The table below shows typical levels of training with their target audiences.

Table 3: Typical training levels

Training level / Target audience
Awareness / Staff with security-sensitive positions
Security-related job training / Operators and other designated users
High-level security training / Senior managers, functional managers, business unit managers
Technical security training / IT support personnel and system administrators
Advanced information security training / Security practitioners and information systems auditors
Specific security software and hardware training / Operators, IT support personnel, system administrators, security practitioners, selected users

Measuring security awareness

By itself, security training may not be sufficient. For this reason, measuring security awareness at regular intervals can be important. This ensures that employees’ security awareness is actually practised in the organisation.