Okay, so let's go ahead and take a look at the requirements for access control. And we've talked about the basics. We talked about how we were gonna limit access to authorized users and how we're gonna make sure that only authorized functions would happen. But how do we accomplish that? What are the elements that make this up? Well,
the first element, 3.13
control the flow of control. But unclassified information. See you, I in accordance with approved authorizations. So when we talk about flow of information, sometimes we're talking about it flowing across boundaries. Like, for instance, if somebody
has top secret clearance,
could they access secret information?
Or somebody has secret clearance? Should they be able to access top secret information? Well, that deals with the data flow. So ultimately, this 3.13 is saying we have to make sure that data is only allowed to flow based on authorization, making sure that it could only float authorized individuals and across the hall, then across
the next l that separate the duties of individuals to reduce the risk of malevolent activity without collusion, separation of duties and what that means is no one individual has all power and all authority. For instance, if you look at your work environment, the person that prints the checks,
not the same person that signs the checks right.
Otherwise, I would be often my vacation to Hawaii right now.
So we separate out those roles, and sometimes we'll hear. It referred to his forcing collusion,
meaning someone would have to collude to be successful at committing fraud there. That separation of duties is a huge, huge, um
ah requirement in most environments, all right, 315 employing the principle of least privilege, meaning you allow users the absolute minimum rights and permissions that they need to do their job. You know, a long time ago I walked into an organization. They only had four employees,
and that was kind of their thought process there.
But every single one of those employees had administrative credentials, and the reason for that was, well, I want everybody to be able to do whatever they need.
No, you don't, right. We want to limit that. It's also gonna affect accountability as well. If everybody has the administrator account, how do I know who's committing? What action So the bottom line is permissions and right should be granted based on the minimum possible that I can give right.
All right, 3.16 years. Non privilege accounts of rolls when accessing non security functions. That's why when I come into the morning in the morning and I walked onto a system is Kelly H R K Hander hand instead of administrators, have an administrative account. But I don't do all my work
It increases the risk of compromise. Maybe I stepped away from my desk for half a second brother. You know, if I would do that, I would lock my system. But let's say other people wouldn't. Or if there's some sort of compromise in the system, some sort of road process running at
the levels whoever's currently logged in, we want to make sure that slip
All right. 3.1 dot seven prevent non privileged users from executing privileged functions. Sure, meaning that we limit those non privileged users so that they can only do things that you associate with non privilege use. We don't grant the Kelly H account
permission to modify the registry right. We create privileged accounts and only allow those privileged accounts access and make sure that individuals with privilege access only useless accounts as needed.
Limit unsuccessful log in attempts. So how many bad attempts do you get until you're locked out of the system? Well, we generally allow a certain amount of the temps, and that's referred to as a clipping level. So I'm gonna let you have three bad attempts and three is the clipping level.
After that point in time, you're gonna be locked out.
Why? Because we want to prevent password guessing. We want to prevent some of these dictionary programs just trying, trying, trying till they get access. Provide privacy and security notice since consistence consistent with applicable See why rules? Meaning that if we're gonna audit e mail,
while keystrokes If we want to make sure that people are following proper privacy guidelines. Basically, when we have these rules to protect, see what we have to make the known, especially if there's a possibility that in order to protect your monitor, my c y,
I might run the possibility of infringing on the user's privacy expectations. So the bottom line is we have rules and policies in place
All right, Um, let's see, 31 10 you session walk
with pattern hiding displays to prevent accessing viewing of data after a period of in activity. So, basically, if someone is inactive for five minutes, you know, you've seen the screen savers that come honor the screen lot mechanisms and making sure whatever that locking function is,
it obscures the data that was being modified or manipulated.
And with sessions, you know, connecting to a terminal server or connecting to another server. Ah, host here, there whatever. We want to make sure that those sessions air terminated after a certain amount of idle time.
You know, you get that when you log on to your bank or your credit card, and if you get distracted 10 minutes later, you come back and you're automatically logged out
again. We're always creating vulnerability when we access thes sensitive sites and users are forgetful. We want to implement every sort of policy to help users from being forgetful.
All right, now we're gonna break the derive security requirements into two sections, cause they're so many. So we'll pick up in a moment with the second half of derived security performance