Address Issues Discussion on 3 Topics of Forum

...

Thanks

Topic 2:

IT Security Models & Access Controls

Management – Corrective: A corrective access control is one that remedies a circumstance or mitigates damage done (Whitman and Mattord, 2016). When an employee resigns or is terminated, it can be a major security risk if they still have access to network and company IT resources. This threat could result in the unauthorized access of system resources and data. To mitigate this risk appropriate termination controls, policies and procedures need to be in place.

At the organization there is a very comprehensive employee termination process that is owned by the people and performance business unit, but involves a number of key stakeholders of the organization. This process is reviewed on a regular basis as part of the companies risk management program. On employee termination, communications are distributed in advance with specific times to action the staff termination procedure. The procedure terminates all account access and ensures all data and records to the individual are retained. The system administrator or security officer follow a step by step checklist that ensures all manual and automated actions are successful.

By having robust employee termination controls in place, the organization can ensure that its data, IP and confidential information is protected, data integrity is not at risk and system availability isn’t threatened by an unauthorized terminated employee.

Operational – Preventative: Preventative access control is one that helps an organization to avoid an incident (Whitman and Mattord, 2016). Organizations need to securely house their IT infrastructure and sensitive data. This can be in a secure server room or in a data centre that is built to be more robust and secure based on the organization’s needs.

At the organization, infrastructure is located at an on premise data centre as well as co-location at a tier 3 data centre facility. The on premise infrastructure is primarily for testing and pre-release. The infrastructure, systems and data located at the tier 3 data centre is classified as business critical and used by the corporate and customer production environments. The facility is very secure and must meet governance and compliance regulations. Compared to our on premise data centre that uses digital key card, CCTV and biometric digital locks, the tier 3 data centre is strategically placed, has external fences and barriers, has a 100 foot buffer zone around the whole site with crash proof barriers, automated bollards, full CCTV coverage and 24x7 security guards posted at the street entrance as well as within the facility.

By utilizing a highly secure facility to house the organizations critical systems and sensitive data, it reduces the risk of systems being compromised thus enforcing data and system confidentiality, integrity and system availability.

Technical – Recovery: Recovery control is one that remedies a circumstance or mitigates damage dome (Whiteman and Matttord, 2016). In the case of an incident or disaster where data needs to be recovered, there needs to be another copy or backup of the data that can be used for recovery.

Data protection at the organization utilizes traditional data backups, vaulting and shadowing, depending on the system and data classification. Traditional backups are onsite and offsite (cloud & tape), with policy and workflow that determine how often backups occur to meet the recovery point objectives. Tapes remain onsite before being moved offsite to a cloud repository and tape vaulting facility. Core business systems such as SQL and Oracle databases use native functionality to ensure there is a mirror/shadow of the database at difference locations in real time. This is achieved via low latency, dedicated links.

With proper data backups and policy in place, an organization can ensure availability of its system in event of incident or disaster. (Scalet, S. 2015) & (Whitman, M.E. and Mattord, H.J. 2016).

Forum Discussion Topic 2:

RE: Diverse Models for IT security and Access control

COLLAPSE

In this cyberspace era, IT security requires diverse models to control security over the internet and to provide high level of data safety. Access control is used to provide access to every individual as per policy standards.

IT security and Access control has two major segments

1- Physical Control - Where security personnel’s and infrastructure are involved

2- Logical Control - Where devices and logical methodologies are involved

According to me, IT security models and access control are meant to provide highest level of security to every individual associated with the internet for various purpose. Moreover, in interest of everyone also to gain confidence of everyone on web; Researchers gave us different models to give access at all different level to secure data.

These access control and IT security models are extensively used to stop unauthentic access of unauthorised users and to secure data at different levels. Unauthentic access increases chances of data vulnerability which may cause serious issues to an organisation, person, and country.

RE: Diverse Models for IT security and Access control

COLLAPSE

Your approach is right. But you did not talk about security models.

RE: Diverse Models for IT security and Access control

COLLAPSE

Hey

I had given a brief discussion regarding the security model in my paper the different models which work for the IT security are:

- Identification

- Authorization

- Authentication

- Access Approval

- Accountability

RE: Diverse Models for IT security and Access control

COLLAPSE

Hi,

You have explained security models very precisely. I liked your post and explanation.

...