Question

You will need to divide yourselves into one of three groups by choosing one of these functional areas. Sign into a Security Plan Group. Then you will create an entry where you will post its specific plan

THE THREE GROUPS: PICK ONE
- The protection of intellectual property (Remember Module 3)
- The implementation of access controls (Remember Module 2)
- Patch and change management (See this module)

Describes what processes you would put in place and write 2 - 3 paragraphs

Answer 1

The functional area chosen is,
Security Plan Group:
The implementation of access controls:

Description of processes I would put in place for the implementation of access controls:
In general and from a broad perspective, one should implement access control systems successfully in his/her organization and even everywhere for safety and security of- systems, IT infrastructure, services, etc. Any and all processes involving the implementation of access controls should be strong, simple, easy, useful, helpful, effective, efficient, convenient, safe, secure, adequate, relevant, appropriate, and proper. Access controls should be based on the least privileged access. One (either administrator, user, or a system) should allow access (privileged) to either inside or outside of the organization- users, administrators, partners, customers, contractors, etc., based only on their respective roles, who accesses it, why he/she accesses it, what exactly they want to login in, access, and use it for, what exactly they want to do after they log in and access, what their intention or purpose is to access the systems, how many and much they are trying to do so, when they are doing so, from where they are trying to do so, on which device they are trying to do so, etc. The access provided to someone should be as minimum as possible or the least, and by default they should not be given access to any other systems, services, accounts, resources, subscriptions, machines, etc., not relevant, not useful, not required to perform their respective tasks. This gives administrators, forensic security officers, audit officers, etc, to investigate on the incidents, events, issues, breaches, and make them administer, monitor, manage, and control systems, servers, network, devices, services, accounts, etc., better, effectively, efficiently, easily, and makes it simple for them.

Access control is one of the important elements of security implementation. The typical, important, and common access control process includes, involves, and revolves around identification, authentication, authorization, verification, auditing, and reporting. The different access control types are: logical, administrative, technical, and physical. The main categories for access control are deterrent, directive, preventative, detective, corrective, recovery, and compensating. The different types of access control systems required to be implemented are Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Rule-Based Access Control (RBAC).

One should use Multi-Factor Authentication (MFA), single sign-on (SSO), and Bio-Metric authentication and verification steps or checkpoints for the authentication process. Access control should be used as a measure in order to mitigate an organization's security risks. In general, access control security steps should be applied at every level of the system, IT infrastructure, devices, machines, networks, services, etc., and if possible, should be applied before every action meant to be performed. Understanding, education, and awareness of access control, its importance; its management implications; consequences; breaches and attacks, methods; and techniques, tools, systems, applications, software, hardware, etc., should be made available and should be implemented for everyone associated to the systems and resources.

More technically speaking, Network Access Control (NAC), Identity Management (IDM), Web access control, remote access control, and device or endpoint access control- different, important, and required access control types are needed to be implemented. User identity, device identity or resource identity, and network identity should be implemented. It should be ensured users have access to the right data, systems, and other corporate resources they are authorized to access and use. Proper rules, checkpoints, permissions, approvals should be set, possess, and be met before a user actually accesses a resource. The access control implementation process should address, handle, and reduce false-positive and false-negative cases. Irrespective of login and access success or failures, all logs for the same should be stored and audited. There are many other steps, systems, processes, and technologies that can be implemented and applied for access control. Finally, processes for access control implementation should work based on the very basic, and yet very important principles i.e., Confidentiality, Integrity, and Availability (CIA) of systems, data, and resources.