- Objectives
- Introduction
- AAA Overview: Access Control, Authentication, and Accounting
- Security Administration—The Importance of a Security Policy
- Keeping Up with and Enforcing Security Policies
- Risk Assessment
- Why Data Classification Is Important
- The Importance of Change Management
- Performing Vulnerability Assessments
- Chapter Summary
- Apply Your Knowledge
Chapter Summary
To understand the business concerns that drive security policy, activity, and principles, it's essential to understand security practices and how they may be applied to meet any given situation. This explains why general best practice and policies must be tailored to meet an organization's location, type of business, employee needs, and so forth when formulating security policy for any specific application. This also explains why even though there are predictable, pro forma aspects to security policy for any organization, there is really no one-size-fits-all or cookie-cutter approach feasible when formulating a specific security policy.
The cornerstone of security as a systematic discipline is AAA, which stands for access control, authentication, and accounting. Authentication provides some reasonable proof of user identity, which in turn makes control over access to resources and information possible, as well as permitting individual actions, access, and behavior to be audited and accounted for. Although the details involved in implementing AAA vary from situation to situation, basic requirements for all three security principles remain constant.
Various methods for access control may be applied to systems and networks. These methods include Mandatory Access Control (MAC), Discretionary Access Control (DAC), Rule-Based Access Control, and Role-Based Access Control (RBAC).
User authentication techniques vary in scope and strength, but also in expense. Generally, most ordinary situations are amenable to using accounts with suitably strong passwords, but in situations in which stronger security (and hence, stronger authentication) is required, biometric or special-purpose security devices may be incorporated into authentication schemes instead (or as well).
Key Terms
access control
accounting
auditing
authentication
change management
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
qualitative analysis
quantitative analysis
risk
risk analysis
risk assessment
role-based access control
rule-based access control
security policy
security checklist
threat
vulnerability