CIS 349 Evaluating Access Control Methods

Strayer CIS 349 Information Technology Audit and Control, Assignment 3: Evaluating Access Control Methods, 6 pages, 1207 words, for Auditing IT Infrastructures for Compliance.
Imagine you are an Information Systems Security Specialist for a medium-sized federal government contractor. The Chief Security Officer (CSO) is worried that the organization’s current methods of access control are no longer sufficient. In order to evaluate the different methods of access control, the CSO requested that you research: mandatory access control (MAC), discretionary access control (DAC), and role-based access control (RBAC). Then, prepare a report addressing positive and negative aspects of each access control method. This information will be presented to the Board of Directors at their next meeting. Further, the CSO would like your help in determining the best access control method for the organization.


Download Now
(sent via email)



Discussion

Many companies, large and small, have implemented Bring Your Own Device
(BYOD) policies allowing employees to use their personal smartphones and
tablets to conduct business while at work. Debate the major pros and cons of
implementing such a policy.
The pros of BYOD are pretty obvious, and seem attractive to management or anyone
wanting to reduce costs.
• Reduced management/support of devices: Typically, BYOD also translates to
“support and manage your own device”, leaving IT resources free to focus on
supporting other assets.
• Reduced expenses of devices: Unless the company is reimbursing employees
for their devices, they are no longer paying for them out of company budget.
• Elimination of lifecycle management: Since the company does not own them,
they are not tasked with continuously replacement as they are lost/stolen or
become obsolete.
• Faster deployment: Since the user deploys their own device, the deployment
time is faster, as IT resources no longer need to plan and schedule
deployment.
The cons of BYOD are usually more evident and concerning for security and
compliance/privacy staff, and can often outweigh the pros.
• Support ownership: Even though policy and agreements may establish clear
guidelines on who is responsible for support of personal devices, IT often finds
themselves spending support time proving an issue belongs to the device
owner and suggesting where to seek assistance.
• Management expenses: Even though there is less need for management
overhead ofthe devices themselves, there are still costs involved for the MDM
platform that allows for a BYOD environment to exist. Licensing, maintenance
and other hardware/software costs can quickly become quite large.
• Monitoring overhead: Being able to understand what devices are in the BYOD
environment and ensuring no unauthorized devices are present takes
significant monitoring, which requires costs in both technology and labor.
• Multiple platforms and versions: UYOD means needing to support multiple
hardware and OS platforms, as well as the many versions of each, which can
require significant resources in staff time for testing and updating backend
systems.
Identify three (3) risks that might result from implementing a BYOD policy.
Suggest a method for mitigating each risk you have identified. Provide a
rationale for your response.
• Data loss: It is possible that data copied to such devices can be offloaded to
external destinations without company knowledge, leading to potential
breaches. A way to prevent this is to ensure the MDM policies do not allow mail
(or attachments) to be copied to the device or from one account to another on
the device and that other applications do not have access to the company
email profile.
• Uncontrolled wireless: With the imability to enforce wireless connection
standards on personal devices, there is a high potential for a user to connect to
an insecure network, allowing others to intercept or redirect traffic between the
device and the corporate network.
• Vulnerabilities: Without full control over the device, the company can be put at
risk by devices with vulnerable software, jailbrokenlrooted devices or missing
OS updates. Most MDM solutions allow for detection of rooted/jailbroken
devices, blocking their access to systems, as well as requiring minimal OS
versions and blocking of specific applications that may pose a risk.