Step 8: Assess Authentication, Authorization, and Access Control
Now that you have explored authentication, authorization, and access control in Steps 1, 2, and 3 and completed the simtray training in Step 7, you will direct your attention to the specific issues of your assigned organization. Identify particular issues that your organization has had, currently has, or could potentially have in terms of authentication, authorization, and access control. Next, assess the potential effectiveness of the access control models from Step 3 for your organization and scenario. Document your assessment, as you will refer to this information throughout this project.
Step 9: Research Industry Best Practices
In Steps 1, 2, and 3, you gathered information regarding authentication, authorization, and access control and had an opportunity to apply these concepts through training in Step 7. In Step 8, you thought about how to apply this knowledge to your own organization. In Steps 4, 5, and 6 you wrote reports on how psychology, anonymity, and privacy awareness impact cybersecurity. You are finally ready to meet with your peers in the industry to get a sense of current practices.
Your peer discussion can take various shapes. Research online articles and/or interview colleagues, friends, and acquaintances in different fields to gather the most current information of what various industries are doing to face their cybersecurity needs. The information and ideas that you obtain here will help you to formulate a recommendation and develop a job aid for the human resources (HR) managers that John requested. You will need to at least cover the items in the list below.
- Give examples of authentication, authorization, and access control that you have seen in your experience, in your assigned organization, and/or in your research and interviews.
- Discuss what worked well and what could be improved.
- Discuss the role of policy in defining and implementing authorization schemes as applied to your experience.
- Apply key points and principles in the NIST Cybersecurity framework for virtual machine cybersecurity.
- Analyze the technologies, uses, and roles of information assurance and software protection technologies.
- Prioritize current cybertechnological threats faced at the enterprise, national, and international levels.
- Evaluate the procedures, policies, and guidelines used to protect the Confidentiality, integrity, and availability of information (CIA triad).
Use the information gathered here to assist in formulating your recommendations in Step 10.
Step 10: Formulate Recommendations
From the information that you have gathered throughout this project, formulate a recommendation for authentication, authorization, and access control. If you determine that your organization needs no changes in these areas, explain your position and what your leadership (and you, as CISO) will continue to monitor to ensure that your security standards are commensurate with expectations. Make sure that you consider the needs of restricting data from department to department as appropriate, protecting the organization’s HR data from outside and inside threats in general and allowing for employees to access the data they need while offsite. Also consider the human aspects of cybersecurity from Steps 4, 5, 6, and 7. Include a recommendation for an ongoing risk management strategy. You will include your recommendations in your Implementation Guidance Presentation in Step 12.
Your recommendation must meet the following criteria:
- coincide with IT vision, mission, and goals
- align with business strategy
- incorporate all internal and external business functions
- create the organizational structure to operate the recommendation and align with the entities as a whole