Appendix F

Associate Level Material
Appendix F

Access Control Policy

Student Name: Your Name

University of Phoenix

IT/244 Intro to IT Security

Instructor’s Name: Romel LLarena

Date: 2/17/2013

Access Control Policy

Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies work to secure information systems

1 Authentication

Describe how and why authentication credentials are used to identify and control access to files, screens, and systems. Include a discussion of the principles of authentication such as passwords, multifactor authentication, biometrics, and single-sign-on.

Authentication is the process that validates authenticity. An authentication entity present credentials, like usernames and passwords as proof of their identity, and verifies that they are who they claim to be. Evaluating credentials supplied by the user performs authentication. Credentials could be something you know such as a password. Multifactor authentication systems uses more than one system to identify the user, for example a password and a token may be needed to provide identity. Biometrics is used to authenticate users by measuring the physical characteristics of the human body to be measured and matched with previously recorded data. Single sign on method allows users to sign in once per session and gain access to all systems.

2 Access control strategy

1 Discretionary access control

Describe how and why discretionary access control will be used. Include an explanation of how the principle of least privilege applies to assure confidentiality. Explain who the information owner is that has the responsibility for the information and has the discretion to dictate access to that information.

Discretionary access controls will be used to restrict access to objects based on the identity of the subjects and groups to which they belong using the least set of privileges necessary to complete the job. The subject with certain access permissions is able to pass that permission on to other subjects. The information owner is usually the user who created the object or the root/administrator of the operating system.

2 Mandatory access control

Describe how and why mandatory access control will be used.

Only the administrator will use Mandatory access control (MAC) to manage the access controls. The administrator will define the usage and access policy that cannot be changed by users. The policy will determine who has access to what.

3 Role-based access control

Describe how and why role-based access control will be used.

Role based access control will be used to restrict system access to authorized users only. Permission to perform operations is assigned to specific roles.

3 Remote access

Describe the policies for remote user access and authentication via dial-in user services and Virtual Private Networks (VPN)

Remote Access Dial-In User