Data Security And The Security

Data Security And The Security
Abstract– Data security is one important issue that everyone anticipates these days. Whether it is an
individual or an organization securing the data in the database is very important. As the technology
is enhancing day by day the data is more vulnerable to the security breaches.A really exhaustive
approach for information assurance should likewise incorporate instruments for implementing
access control approaches focused around information substance, subject capabilities and qualities,
and other pertinent relevant data, for example, time. Strategies for information trustworthiness what
's more accessibility particularly customized to database frameworks must be embraced. We
concentrate on access control frameworks, on which a huge ... Show more content on
Helpwriting.net ...
At the point when information is inaccessible, data critical for the correct working of the association
is most certainly not promptly accessible when required. "Hence, a complete solution to data
security must possess the following three requirements:
1) Secrecy or confidentiality refers to the protection of data against unauthorized disclosure,
2) Integrity refers to the prevention of unauthorized and improper data modification, and
3) Availability refers to the prevention and recovery from hardware and software errors and from
malicious data access denials making the database system unavailable."
Information assurance is guaranteed by distinctive parts of a database management system (DBMS).
Specifically, an access control system guarantees information secrecy. At whatever point a subject
tries to get to an information question, the right to gain entrance control component checks the
privileges of the client against a set of approvals, expressed for the most part by some security
chairman. An authorization states whether a subject can perform a specific activity on an item.
Authorizations are expressed as per the right to gain entrance control strategies of the association.
Information secrecy is further upgraded by the utilization of encryption strategies, connected to
information when being put away on optional stockpiling or transmitted on a network. In this paper,
we concentrate chiefly on the privacy prerequisite and we examine access control
... Get more on HelpWriting.net ...

Is4560
Asymmetric Encryption Encryption that uses two keys: if you encrypt with one you may decrypt
with the other MD5 Message Digest 5. A hashing funciton used to provide integrity. MD5 uses 128
bits. A hash is simply a number created by applying the algorithm to a file or message at different
times. The hashes are compared to each other to verify that integrity has been maintained. IPSec 1)
Set of protocols developed to support the secure exchange of packets IPv4 and IPv6 2) Operates at a
low level in the OSI model (Layer 3) 3) Transparent security protocol for applications, users, and
software OSI Model 7.Application 6.Presentation 5.Session 4.Transport 3.Network 2.Data
1.Physical OSI Model Layer 3–Network Handles ... Show more content on Helpwriting.net ...
Dsniff is highly effective for sniffing both switched and shared networks. It uses the arpredirect and
macof tools for switching across switched networks. It can also be used to capture authentication
information for FTP, telnet, SMTP, HTTP, POP, NNTP, IMAP, etc. Netstat Netstat shows IP–related
statistics including: * Current connections * Incoming and outgoing connections * Active selections,
ports, and sockets * The local routing table Netstat is used to view protocol connections that have
been established by the system, as well as what incoming TCP/IP ports are in use by the system.
Scareware / Adware Adware: software specifically designed to display ads in the form of popups or
nag screens Scareware: malware designed to trick victims into purchasing and downloading useless
and potentially dangerous software worm a type of virus that spreads itself, not only from file to file,
but also from computer to computer. the primary difference between a virus and a worm is that a
virus must attach to something. such as an executable file, in order to spread. worms do not need to
attach to anything to spread and can tunnel themselves into computers. Virus Code that attaches
itself to a program that is designed to cause malfunctioning of a computer or damage the data stored
on the computer. bluejacking sending unsolicited messages to another device using Bluetooth to get
the recipient to open

Using A Cloud Based Storage Schemes Essay
ABSTRACT
This paper proposes, various methods for anonymous authentication for data stored in cloud. Cloud
verifies the authenticity of the series without knowing the user's identity before storing data. This
paper also has the added feature of access control in which only valid users are able to decrypt the
stored information. These schemes also prevents replay attacks and supports creation, modification,
and reading data stored in the cloud. Moreover, our authentication and access control scheme is
decentralized and robust, unlike other access control schemes designed for clouds which are
centralized. The communication, computation, and storage overheads are comparable to centralized
approaches .The aim of this paper is to cover many security issues arises in cloud computing and
different schemes to prevent security risks in cloud. Storage–as–a–service (Saas) offered by cloud
service providers (CSPs) is a paid facility that enables organizations to outsource their sensitive data
to be stored on remote servers. In this paper, we propose a cloud–based storage schemes that allows
the data owner to benefit from the facilities offered by the CSP and enables indirect mutual trust
between them. This Paper provides different authentication techniques and algorithms for cloud
security.
1. INTRODUCTION In the current era of digital world, various organizations produce a large
amount of sensitive data including personal information, electronic health records, and financial

Linux Security
I. Chroot jail
"Chroot jail is a UNIX feature that creates a limited sandbox allowing a process to view only a
single sub–tree of the file system." "In order for it to work properly, some common programs and
libraries need to be copied or linked to the appropriate locations in the new directory tree." (Haas)
The term sandbox is a metaphor for the type of security that chroot jail uses. Once you put a
program or utility into the jail, it only knows of what is contained in the cell, the rest of your system
becomes invisible to it. It does this by changing the apparent root directory for the current running
process and its children. A program that is run in a modified environment cannot name files outside
the designated directory tree. ... Show more content on Helpwriting.net ...
If the packet passes the criteria set by the administrator then it is delivered, if it does not match it
will be dropped. Some of the criteria that can be set up by the administrator for checking are: ip
address, port number, destination address, source address.
Works Cited
Haas, J. (n.d.). About.com. Retrieved 5 1, 2013, from www.about.com
Kerner, S. M. (2004, 2 24). Internet News.com. Retrieved 5 1, 2013, from www.internetnews.com
linux.ie. (n.d.). Retrieved 5 1, 2013, from www.linux.ie/articles/tutorials/firewall
I. Chroot jail
"Chroot jail is a UNIX feature that creates a limited sandbox allowing a process to view only a
single sub–tree of the file system." "In order for it to work properly, some common programs and
libraries need to be copied or linked to the appropriate locations in the new directory tree." (Haas)
The term sandbox is a metaphor for the type of security that chroot jail uses. Once you put a
program or utility into the jail, it only knows of what is contained in the cell, the rest of your system
becomes invisible to it. It does this by changing the apparent root directory for the current running
process and its children. A program that is run in a modified environment cannot name files outside
the designated directory tree. For example if you place Apache into a chroot jail and somebody
would hack into your system, the only thing that they would be able to see and access would be
Apache and the

Comptia a+
1. Actions that can damage an asset
A threat: Flood, earthquake, severe storms. 2. Laws to protect private financial information *
Federal information security management act(FISMA) * Sarbanes Oxley act (SOX) * Gramm leach
Bliley act(GLBA) * Health insurance portability and accountability act(HIPAA) * Children's
internet protection (CIPA) * Family educational rights and privacy act (FERPA) 3. Parts of layered
security that supports confidentiality * Defining organization wide policies, standard, procedures,
and guidelines to protect confidential data. * Adopting a data classification standard that defines
how to treat data throughout AT. * Limiting access to systems and application that house ... Show
more content on Helpwriting.net ...
14. Examples of access control formal model * Discretionary access control(DAC): owner of the
resource decides who gets in , and change permission as needed. * Mandatory access control(MAC):
permission to enter a system is kept by the owner. It cannot be given to someone else. * Non
discretionary access control: are closely monitored by security administrator, not sys admin * Rule
based access control: rules list, maintained by the data owner. Determines which user have access to
object. 15. Access control models * Bell–la padula: focuses on the confidentiality of data and the
control of access to classified information. Parts of system are divide into sub and object, current
condition of sys is described as its state * Biba integrity: 1977, Kenneth j biba, first model address
integrity in computer systems based on integrity level , fix weakness ness of bell la * Clark and
Wilson: 1987 david clark and Wilson: focus on what happened when user allow into system try to
do thing they are not permit to. * Brewer and nash 1989 base on mathematical theory apply
dynamically changing access permission. 16. Rules that must be complied with 17. Parts of ordinary
IT security policy framework 18. How to determine appropriate access to classified data 19.
Management baseline setting 20. Primary steps in SDLC 21. Processes

Assignment 1: Database Analysis
The database for the company merger, can be one of the most vulnerable systems in an organization
due to their complexity and the amount of sensitive data it contains. The purpose of having a
database security plan, is to protect critical information from exposure to both internal and external
threats to the system. This could be malicious or unintentional, but both can do the same amount of
harm to the database. To begin creation of a database security plan, you first need to know what are
the potential threats to the database, how to protect against or mitigate them, and what other options
exist for hosting a secure database environment.
Some of the Potential threats to the organization and its databases are unwanted changes to the
database ... Show more content on Helpwriting.net ...
The access controls based on rights or privileges granted, allows users the ability to read, write,
modify, and execute objects in the database. Access to the database, also allows for the use of SQL
utilities such as: backups and security logs that should be available to select users. Database
privileges should only be given to uses whose jobs require the access. If this is only a temporary
access grant, it should be logged and revoked after the task is complete. All of these access controls
can be controlled through SQL discretionary access control (DAC). This supports GRANT and
REVOKE commands to give or remove privileges from end users. Mandatory access control (MAC)
is a more advanced hierarchical access control mostly used by government agencies as well as
financial institutes and is an add–on not included in the standard versions of SQL Server. The
database also can restrict users by its views. Database views are customized per user. They can hide
the more complex side of the database giving less technical users a simple interface for running
queries, while also restricting users from accessing specific tables and columns that have sensitive
information such as credit card and social security

Unit 3 Assignment 1: Remote Access Control Policy...
Richman Investments has decided to expand their business. We have been given their new growth
projections of 10,000 employees in 20 countries, with 5,000 located within the U.S. Richman has
also established eight branch offices located throughout the U.S. and has designated Phoenix, AZ
being the main headquarters. With this scenario, I intend to design a remote access control policy for
all systems, applications and data access within Richman Investments. With so many different
modes of Access Control to choose from it is my assessment that by choosing only one model would
not be appropriate for Richman Investments. My recommendation would be a combination of
multiple Access Control Models that overlap to provide maximum coverage ... Show more content
on Helpwriting.net ...
Constrained User Interface incorporates similar concepts of two other access control models that
have been detailed, Role Base and Rule Base. Constrained User Interface is defined as a user's
ability to get into certain resources based on the user's rights and privileges. These rights and
privileges are restricted and constrained on the asset they are attempting to access. While this
requires many levels of protection it provides limitations on the request access to the resources
available within the organization. Another example of a access control model that can be applied in
this situation is known as the Clark and Wilson Integrity Model. This model provides improvements
from the Biba Integrity Model of access control. Developed by David Clark and David Wilson, the
mode concentrates on what happens when a user tries to do things they are not permitted to do,
which was one flaw of the Biba Integrity Model . The other flaw that was addressed was the model
also reviews internal integrity threats . There are 3 key elements of the Clark and Wilson integrity
model; the first it stops unauthorized users from making changes within the system. The second, it
stops authorized users from making improper changes, and the third, it maintains consistency both
internally and externally . Within the Clark and Wilson model a user's access is controlled by

Linux Securities
Security of a system when you are open to the internet is paramount in the world of servers. Linux
has many layers of ever evolving security in order to keep up with the would be attackers in
cyberspace. This is one of the reasons that Linux is one of the most used servers for internet sites
and has few viruses engineered towards it.
IP Tables
Developed by the Netfilter organization the IP tables package for Linux is an evolution of the IP
chains which came from the IPv4 Linux firewall package. Paul Russel was the initial head author of
the organization and also behind the IP chains project The Netfilter organization began to come
together in 1999 and through collaboration and research recognized the shortcomings of the IP
chains ... Show more content on Helpwriting.net ...
Traditionally Linux security has been run using DAC ( Discretionary Access Control ), which is
based on users and groups to control which users and processes can access files and how they do it.
This runs into a problem since the owner of a file has control over its permissions which can be less
than ideal. SELinux ( Security–Enhanced Linux ) implements MAC ( Mandatory Access Control ),
which is under the direct control of the systems administrator and is located in the kernel where it
can control and enforce security, giving only the permissions needed to processes and users.
In the way of vulnerabilities I could not find much for SELinux, which is a testament to the power
of MAC. As secure as it may be, for most home users this system is a bit complicated and can block
services and make it look like a common error, making troubleshooting problematic. I would still
recommend using a firewall in conjunction with SELinux as security is best utilized when it is
layered in order to make attacks more difficult.
Linux has a rich history of collaborations between different organizations and input from users
worldwide. This has led to a world class piece of open source software that has proven itself to have
both the reliability and security to provide the peace of mind for users and corporations worldwide
to use for day to day operations and

Access Controls And Access Control
This chapter is basically based on access control in regards to computer information security. Access
control is seen as the fundamental mechanism put in place to help make information security
successful. Access control feature, in a particular system, will control how users can communicate,
access and modify system resources and programs. Access control was described in this chapter as a
very useful tool for the computer information security because it helps with ensuring that
unauthorized person or program have no access to what they are not supposed to. Access control is
regarded as the first line of defense to control, protect and monitor organization's resource's
availability, confidentiality and integrity.
Furthermore, this chapter illustrates how users can be granted access to network resources. It
explained that for a user to be allowed access to a network he must satisfy the condition of
identification and authentication. The identification part could be something of user ID, name or
account number. The identification key is not enough to grant access, but it's simply a way of
introducing yourself by saying who you are. Then, at that point the system will request for you to
authenticate yourself (confirm who you said you are) by requesting for an authentication key. The
authentication key could be password, passphrase, personal identification number (PIN), or a token.
Once, the authentication is verified and the system found it to be correct, then access will be

Definition Of Administrative Access Controls Essay
1. Administrative access controls "define the human factors of security" (Red Hat, n.d.). An example
would be having mandatory training before getting access to a certain room. If you do not complete
the training, then you will not have access. Other examples of administrative access controls include
personnel registration, recovery plans, and disaster preparedness. Physical access controls are "the
implementation of security measures in a defined structure used to deter or prevent unauthorized
access to sensitive material "and include restricted access rooms that require a badge, password, or
some other special permission to enter (Red Hat, n.d.). An example of this would be not related to
computers is a barhop standing at the door making sure only 21+ adults enter. In a computer or
business example, this could be only letting the IT guy have access to the data center. He would
have either a special card to let him in or he would have to make a phone call and use a special
passphrase to be granted access into the otherwise locked room. Technical access controls use
"technology as a basis for controlling the access and usage of sensitive data throughout a physical
structure and over a network " (Red Hat, n.d.). They include "tools used for identification,
authentication, authorization, and accountability. They are software components that enforce access
control measures for systems, programs, process, and information" (Harris, 2012). Technical access
controls are

Management Access Control At Lan Essay
Introduction:
Several buildings spread across a local area network with hundreds or thousands of devices ranging
in size from single office computers, a computer network LAN stands for. The main role of LAN
computers linked together and to share access to printers, fax machines, data storage, messaging,
games, file servers, and other services. LAN aspect of the development of the school, the university,
the office building to operate as a small geographic area, quick data transfer.
LAN common share data devices in the world today are major large–sized businesses, and the
interaction between the role and the lower its cost. LAN 's data can be transmitted at rates faster than
the speed of the telephone line, and have the ability to transmit data; But the distances are limited.
Management level in a LAN configuration and the type of equipment involved in the running no
need to manage access to it over the network, and it is important to protect the network from
hacking and virus attack.
Management Access Control at LAN :
Access control to the main function and that is to control the members of the network LAN to use
the data from the area. LAN users do what they can access resources on a system; they specify what
activities it offers management. For example, there are several sections of a company; Marketing, IT
marketing and accounts of the users do not need access to the data by the IT department and so on.
Access control model:
Different types of access control to protect a

Information Security Policy
Axia College Material Information Security Policy Axia College IT/244 Intro to IT Security Dr.
Jimmie Flores April 10, 2011 Table of Contents 1. Executive Summary 1 2. Introduction 1 3.
Disaster Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery
Test Plan 1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry
controls 1 4.1.2. Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2
4.2. Security of the information systems 2 4.2.1. ... Show more content on Helpwriting.net ...
For example a clerk will only be able to access a limited amount of information, such as inventory at
each store. The limitations will be different for an accountant or the mangers. All information will
be protected with several different layers of security. The first layers will be simple hardware
protection for access to the network; from there the security will increase with password protection
and restrictions to users. (Merkow & Breithaupt 2006) 2 Integrity Each user will be granted
password access to required information. The network will not allow external access from users or
computers not tied into it. Higher levels of access will also involve hardware such as smart cards or
fobs for access to data and only be able to access data from a central location. (Merkow &
Breithaupt 2006) All transactions and account information will be centralized with limited
accessibility. 3 Availability The new system for Sunica will be defined by a formal outline and
written guidelines for each employee. The entire system will be tied into a network that is accessible
by every location, no remote access other than specified locations will be allowed. The entire
network will be tied into cloud based storage for backup and recovery, all sensitive and important
data will be located offsite, yet

Database Security
– 1 –
Database Security *)
GÜNTHER PERNUL
Institut für Angewandte Informatik und Informationssysteme
Abteilung für Information Engineering
Universität Wien
Vienna, Austria
1. Introduction
1.1 The Relational Data Model Revisited
1.2 The Vocabulary of Security and Major DB Security Threats
2. Database Security Models
2.1 Discretionary Security Models
2.2 Mandatory Security Models
2.3 Adapted Mandatory Access Control Model
2.4 Personal Knowledge Approach
2.5 Clark and Wilson Model
2.6 A Final Note on Database Security Models
3. Multilevel Secure Prototypes and Systems
3.1 SeaView
3.2 Lock Data Views
3.3 ASD_Views
4. Conceptual Data Model for Multilevel Security
4.1 Concepts of Security Semantics
4.2 Classification ... Show more content on Helpwriting.net ...
· Authorization, Access Controls
Authorization is the specification of a set of rules that specify who has which type of access to what
information. Authorization policies therefore govern the disclosure and modification of information.
Access controls are
– 3 – procedures that are designed to control authorizations. They are responsible to limit access to
stored data to authorized users only.
· Integrity, Consistency
An integrity policy states a set of rules (i. e. semantic integrity constraints) that define the correct
states of the database during database operation and therefore can protect against malicious or
accidental modification of information. Closely related issues to integrity and consistency are
concurrency control and recovery. Concurrency control policies protect the integrity of the database

in the presence of concurrent transactions. If these transactions do not terminate normally due to
system crashes or security violations recovery techniques are used to reconstruct correct or valid
database states.
· Auditing
The requirement to keep records of all security relevant actions issued by a user is called auditing.
Resulting audit records are the basis for further reviews and examinations in order to test the
adequacy of system controls and to recommend any changes in the security policy.
In this Chapter such a broad perspective of database security is not taken.
Instead, main focus is directed towards aspects related to

Questions On Networked Information Systems
COMP2410 Networked Information Systems Assignment 2: Part 1 Aiden Ahn (u5458942) Sam Ye
(u1111111) Introduction Zxcasdqwe Question 1 Objective: To find out the risk of customers using
bank accounts and provide methods for mitigation of the highest priority residual risk. Constraint:
Stakeholders: Customers (primary), the bank, thieves Assets: Money Threats & vulnerabilities The
nature of all these threats are caused by unauthorised person to access the data that they don't have
the right to view/alter. Pay by tap credit cards: This is a permanent physical data storage mean where
all credential data is on it, it's kind of like a black box container where you can use the information
store on this piece of object, since this kind of object is easy to steal by an entity, therefore it should
be considered as a threat. ATM: ATM is a physical embed–in device which is to be installed on the
wall as part of the supporting infrastructure, despite of the fact that is unmovable, it is possible that
any third party scam devices is installed on the it by an intruder, such device includes hidden
camera, fake PIN pads and card skimmers. These data collection devices can retrieve your personal
private information quickly if you trigger them by the way they want. Online bank: Since this
process is done by the internet, then various of threats can be caused. Viruses/Malwares: This
includes downloading a spamming software (malware/backdoors), open unknown source emails

It 244 Appendix F Essay
Axia College Material
Appendix F
Access Control Policy
Student Name: Katelyn Sims
Axia College
IT/244 Intro to IT Security
Instructor's Name: Jennifer McLaughlin
Date: 11/22/2011
Due in Week Seven: Outline the Access Control Policy. Describe how access control methodologies
work to secure information systems
1 Authentication
Describe how and why authentication credentials are used to identify and control access to files,
screens, and systems. Include a discussion of the principles of authentication such as passwords,
multifactor authentication, biometrics, and single–sign–on.
Authentication of an individual to access and use files, systems, and screens is vital to ... Show more
content on Helpwriting.net ...
Explain who the information owner is that has the responsibility for the information and has the
discretion to dictate access to that information.
Discretionary access control means only certain permitted users are allowed access to specific
things. However, someone with permitted access can let another user use their access. The least
privilege principal is where access is only granted to certain systems and certain data that is needed
to do the users job. Sometimes temporary access is given to data that is required to access random

jobs or to see what that user is doing. When this happens, the access is only temporary, it is
imperative to uphold the principal of least privilege to ensure that user does not have access to the
data when the job finished.
2 Mandatory access control
Describe how and why mandatory access control will be used.
Mandatory access control is a single user, normally the network admin, who is given access to the
users' rights and privileges. They control access policies and are also in control of choosing which
objects and what systems each individual user has access to and what they do not have access to.
The access is made in the form of different levels. Each system and all folders containing
information are put into a specific classification. The user will be in a certain classification that will
only allow them to access data

Discretionary Access Control (DAC)
Computer security is important in every organization. It covers several areas such as locking the
computer room and the computer itself, protecting login accounts with passwords, encrypting
network communication lines and use of file protection among others. Whitman (2011) points out
that computer system security ensures that your computer does what it is supposed to, even if the
users do what they should not do. Discretionary Access Control (DAC) is a type of access controls
that provides protection to the files in a computer system. This type of control restricts access to
files based on the identity of users or groups which they belong. It is discretionary and lets you tell
the computer system who can have access to your files and therefore you can specify the type of
access allowed. For example, you can allow anyone to read a particular file in the system, but allow
only you to be able to change it.
According to Whitman (2011), this type of control access is rarely used with high security systems
because someone with permission to access files is able to pass that permission either directly or
indirectly on to any other person. This capability poses a threat to the security of the files and can be
dangerous to a high security system. An organization that requires high security, but the operating
system only supports DAC, can compensate with the use of an Access Control List (ACL). Haldar
(2010) defines ACL as a list which denotes which

Trusted Computer System Evaluation Criteria
(Name)
(Professor)
(Subject)
(Date)
Trusted Computer System Evaluation Criteria (TCSEC) Trusted Computer System Evaluation
Criteria (TCSEC) is a computer security standard that was developed by the US department of
defense DOD aimed at assessment of how effective computer security controls, which have been
built in a computer system are. This security standard has been used to classify, evaluate and
determine the computer systems intended for processing, storage and retrieving classified or
sensitive information. It was the first main evaluation methodology developed to analyze and
determine the security level of a system. The standard is also known as the orange book and was
produced as part of series of books called the rainbow series. The series got its name from the
colorful covers that the books in the series used (Denning).
Trusted Computer System Evaluation Criteria is divided into four categories: D, C, B and A. These
categories are hierarchical and the highest division (A) is reserved for the systems that provide the
most comprehensive security. Each higher division bears a major improvement of the overall
security and the confidence with which one can regard a system to protect sensitive information.
Within the subdivisions, B and C, there exist further subdivisions called classes. These classes are
also hierarchical. The systems represented by division C and the lower classes of division B are a
characteristic of the security mechanisms that the systems possess.

Application And Information Stockpiling On The...
Prior, In the creating stage, we used to make applications and information stockpiling on the
neighborhood servers. In the event that neighborhood server or neighborhood framework crashes,
the whole framework, applications and related information crashes consequently. It was turning into
an enormous issue everywhere throughout the world. To defeat this issue, the idea of distributed
computing was brought out vigorously. Be that as it may because of expanding size of clients'
numerous security related issue emerges and after that security issues turned out to be most regular
in the enthusiasm of analysts. Security models, for example, Mandatory Access Control and
Discretionary Access Control have been the methods by which data were secured and get to was
controlled. However, because of the unbend–ability of these models, the fairly new security idea of
Role–Based Access Control (RBAC) was proposed by the National Institute of Standards and
Technology (NIST) which guarantees to end up a more unmistakable security model. Be that as it
may, because of expanding size of clients giving noteworthy security has ended up bottleneck. This
paper portrays access control, idea of RBAC (Role–based Access Control) display, its downside and
finally we finish up to depict proposed research work to lessen security hazard.
Access Control:
Protection, trust and Access Control are some of security idea required to meet in Cloud stage.
Access Control 's part is to control and breaking point the

Essay on It244 Access Control
1. Access Control Policy
1.1. Authentication
Describe how and why authentication credentials are used to identify and control access to files,
screens, and systems. Include a discussion of the principles of authentication such as passwords,
multifactor authentication, biometrics, and single–sign–on.
Authentication credentials are used to control access to sensitive data or systems by making it hard
for people to get into the system who shouldn't have access. Passwords and usernames are a good
start because if they are kept secure, they are generally very hard to bypass. If they are bypassed by
some method ... Show more content on Helpwriting.net ...
Whoever has the responsibility to keep the data safe is probably the one responsible for dictating
access.
1.2.2. Mandatory access control
Mandatory access is used to authenticate actions between a subject and an object. In order for a
subject to access an object it must pass a set of authentication rules.
1.2.3. Role–based access control
Describe how and why role–based access control will be used.
RBAC is a very efficient way to control access to resources. This is because access is granted to
select roles based on what the needs each role has to complete its job. Then, the person or program
is assigned to the role and thus will only be granted the access granted to the role they are assigned.
1.3. Remote access
Describe the policies for remote user access and authentication via dial–in user services and Virtual
Private Networks (VPN)
The policies for remote access, authentication via dial–in user services, and VPN's has to be more
strict than with general authentication and access within the work place. While there are ways for a
hacker to get into the system while following the usual work place policies, it would probably be
much easier to get in by one of these methods. When accessing resources remotely it is important to
have added authentication methods such as security questions or possibly some kind of portable
biometric device which can scan a part of the user and then send

Associate Level Material
Appendix F
Student Name: Charles Williams
University of Phoenix
Instructor's Name: Tarik Lles
Date: December 4, 2011
Access control is used to restrict operations, which authorized users can perform. Access control
does exactly what it says, it controls what access an authorized user can have. A reference monitor is
used for access control and follows instructions from an authorization database. These
authorizations are controlled and administered by a security administrator who sets ... Show more
It is also possible under some operating systems for the network or system administrator to dictate
which permissions users are allowed to set in the ACL's of the resources. Discretionary Access
Control has a more flexible environment than Mandatory Access Control, but also increases the risk
that data will be made accessible to users who should not gain access. Understanding permissions
about the security of file servers on the network will increase network security (Bushmiller, 2011).
2 Mandatory access control

Mandatory Access Control (MAC) uses a hierarchy approach to control access to resources, such as
data files. The system administrator is responsible for the settings in a MAC environment. All access
to resource objects is controlled by the operating system based on setting configured by the system
administrator. With MAC it is not possible for users to change the access control for any resource.
Mandatory Access Control starts with security labels, which contain two types of information and
are assigned to all resource objects on the system. The two types of information are classification,
such as confidential or top secret and a category, which is basically an indication of the project or
department to which the object is available, or an indication of the management level.

Access Control Models
ACCESS CONTROL MODELS
An access control model is a framework that dictates how subjects access objects. There are three
main types of access control model mandatory access control, discretionary access control and role–
based access control.
Discretionary (DAC) The creator of a file is the 'owner' and can grant ownership to others. Access
control is at the discretion of the owner. Most common implementation is through access control
lists. Discretionary access control is required for the Orange Book "C" Level.
Mandatory (MAC) Much more structured. Is based on security labels and classifications. Access
decisions are based on clearance level of the data and clearance level of the user, and, classification
of the object. Rules are made ... Show more content on Helpwriting.net ...
Network architecture – Logical controls can provide segregation and protection of an environment.
I/P address ranges, subnets, routing between networks, etc.
Network Access – Logical network access controls – routers, switches, NICs, bridges.
Encryption and Protocols
Control Zone – Technical and physical control. Surrounds and protects network devices that emit
electrical signals. TEMPEST related.
Access Control Types
Each control method can also perform different functionality. The functionality types are
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
For example

Preventative–Administrative
Policies and procedures, effective hiring practices, background checks, data classification, security
awareness training.
Preventative–Physical
Biometrics, badges, swipe cards, guards, dogs, motion detectors, fences, mantraps, locks and alarms.
Preventative–Technical
Passwords, biometrics, smart cards, encryption, call–back systems, database views, antivirus
software, ACLs, firewalls, IDS
Auditing
Accountability Auditing capabilities ensure that users are held accountable for their actions, verify
that policies are enforced, deter improper actions and are an investigative tool.
There are 3 main types of audit tool
Audit reduction
Variance detection
Attack–signature detection
Audit data must be protected from unauthorized viewing and

Database Modeling, System Design, And Improve Performance
MODELING
As databases and technology have evolved, Elmasri and Navathe point out that increasingly
complex data structures for modeling to meet the needs of the more advanced and larger databases
that were also beginning to include newer data types (2016). As stated before, with more complex
databases, there are more vulnerabilities in security that need to be planned for and mitigated
wherever possible. A DBMS is responsible for designing the methods in which data recovery and
security is handled, while tools are used within database modeling that facilitate modeling, system
design, and improve performance (Elmasri & Navathe, 2016). When applying these tools to
database creation, security should always be considered in each step of modeling and creating the
database. The DBMS provides a security and authorization subsystem to the DBA so that they can
use it to create accounts and specify account restrictions (Elmasri & Navathe, 2016).
AGGREGATION AND INFERENCE
Aggregation occurs when a user combines individual pieces of data that they have access to in order
to infer more of the bigger picture which they do not have access to, which can happen when a user
only has access to some records but draws enough information from the ones they do have access to
in order to figure out information that has been deemed off limits to them (Harris, 2002). This is, of
course, a potential security risk which should be corrected. On the other hand, knowledge
representation techniques,

Appendix B: Information Security Policy
Associate Level Material
Appendix B
Information Security Policy Student Name: Dennis H Jarvis Jr.
University of Phoenix
Instructor's Name: Scott Sabo
Date: 12/21/2012 * Table of Contents 1. Executive Summary 1 2. Introduction 1 3. Disaster
Recovery Plan 1 3.1. Key elements of the Disaster Recovery Plan 1 3.2. Disaster Recovery Test Plan
1 4. Physical Security Policy 1 4.1. Security of the facilities 1 4.1.1. Physical entry controls 1 4.1.2.
Security offices, rooms and facilities 1 4.1.3. Isolated delivery and loading areas 2 4.2. Security of
the information systems 2 4.2.1. Workplace protection 2 4.2.2. Unused ports and cabling 2 4.2.3.
Network/server ... Show more content on Helpwriting.net ...
Confidentiality
Briefly explain how the policy will protect information. All customer information will be stored in
the system and accessible to the clerks as read only. Everything is to be password protected and only
managers will have the ability to alter said information.
Integrity
Give a brief overview of how the policy will provide rules for authentication and verification.
Include a description of formal methods and system transactions. As previously stated only
management will have the ability to alter information. Employees that are not management will
have read only rights and have their own passwords.
Availability
Briefly describe how the policy will address system back–up and recovery, access control, and
quality of service. There will be a disaster plan in place for such things as floods, storms, of
equipment failure. All customer information will be backed up and on a secure network and system
with password protected group policies.
Disaster Recovery Plan
Due in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery
Plan to be used in case of a disaster and the plan for testing the DRP.
Risk Assessment
Critical business processes

List the mission–critical business systems and services that must be protected by the DRP. Systems
that services that should be included in this Disaster recovery Plan should be anything involving
human

Mandatory Access Control
In computer security, Discretionary Access Control (DAC) is a type of access control in which a
user has complete control over all the programs it owns and executes, and also determines the
permissions other users have those those files and programs. Because DAC requires permissions to
be assigned to those who need access, DAC is commonly called described as a "need–to–know"
access model.
In computer security, discretionary access control (DAC) is a type of access control defined by the
Trusted Computer System Evaluation Criteria[1] "as a means of restricting access to objects based
on the identity of subjects and/or groups to which they belong. The controls are discretionary in the
sense that a subject with a certain access permission ... Show more content on Helpwriting.net ...
Early hardware–based enforcement implementations of MAC such as Honeywell's SCOMP, USAF
SACDIN, NSA Blacker, and Boeing's MLS LAN focused on MLS to protect military–oriented
security classification levels with robust enforcement. Originally, the term MAC denoted that the
access controls were not only guaranteed in principle, but in fact. Early security strategies[2]
enabled enforcement guarantees that were dependable in the face of national lab level attacks.
More recently, with the departure from strict hardware–based enforcement the expectations of the
term "mandatory" has become more relaxed, migrating from mandating near absolute enforcement
to acceptance of "best effort" enforcement. While software–based enforcement is more flexible, the
security technology has not yet produced a software–based enforcement strategy that can enforce a
policy with near certainty. This is because it has been much more difficult to be certain about what a
software–based system will never do compared to that of hardware–based system. With software–
oriented implementations such as SELinux (incorporated into

Access Controls And Access Control Security Essay
As the use of computers, databases, and technology in general, security has grown to be a powerful
tool that has to be used. The threat of outside sources intruding and exploiting crucial information is
a threat that is present on a daily basis. As a part of creating and implementing a security policy, a
user must consider access control. Access Control is a security tool that is used to control who can
use or gain access to the protected technology. Access control security includes two levels; logical
and physical. Though database intrusions can happen at any moment, access control provides
another security barrier that is needed. Access control has been in use before the growth of the
technology world. It could involve a simple action as locking a door. A person locks a door to
prevent entry to those who are not allowed or authorize to do so. The same can be said about the
security involving databases and the controlling of who can have access and what can be accessed.
As far as database security is concerned, there are various categories that are involved in access
control. The four main categories of access control include: Discretionary, Mandatory, Role–based,
and Rule–based access control. According to Rouse (2006), "Computer databases typically contain
aggregations of data records or files, such as sales transactions, product catalogs and inventories,
and customer profiles" (Rouse, 2006). Databases can hold a sufficient of information that are
deemed valuable by

Information, Network And Cyber Security
CANDIDATE NAME: NAZIFI IDRIS KHALID
STUDENT NUMBER: C1473542
MODULE CODE: CMT 104
MODULE TITLE: INFORMATION, NETWORK AND CYBER SECURITY
SEMINAR TUTOR: DR. PETE BURNAP
ESSAY TITLE / COURSEWORK: COURSEWORK
WORD COUNT: 1500
Review of Existing Literature:
The most important goal of any access control model is to provide a verifiable system that
guarantees the protection of any information from being accessed by an unauthorised party; in line
with some defined security policies (Ausanka–crues 2006). Many access control models have
evolved over time that manage access to resources in the organisation. With each one leveraging on
a particular element of security. The Bell– Lapadula model for example focuses on Confidentiality;
while the Biba ... Show more content on Helpwriting.net ...
The User does not have any privilege to change or modify his setting or access level to any party.
On the other end, Discretionary Access Control Model gives the User all the rights and privileges
over any object on his profile including all the programs associated with it. This means that the User
can be able to modify security settings and privileges for others. This of course is very flexible at the
expense of security rigidity. Which in turn may lead to misuse or abuse of privilege which is a major
setback for this model. Rule Based Access Control is administered based on some predefined rules
set by the Systems Administrator for each User. This means that there are as equal the rules set as
the number of Users in the Organisation. This eventually becomes cumbersome as the number of
Users gets larger.(Anon n.d.). The Role Based Access Control is based on the user's role or job
functions. Permissions are granted to the role and not the individual. For example if the user
performs role of a Deputy Manager, he is mapped to the role of a Deputy Manager. And thus He
shares a common role with any other User of the same position in the same Organisation. This
access control model offers more flexibility and ease of Management to the Administrator from a
central location; as there are fewer roles to manage as compared to the number of Users. Context
Aware Access Control takes into consideration the context information of

The World Of Computer Systems
INTRODUCTION TO PROBLEM
Today's world of computer systems are used by large set of individuals across organisations either
collocated or distributed geographically. This has decreased the level of trust as compared to the past
where there were small set of users entrusted in an organisation (Van der Geest G J, 2008) . In a bid
to make sensitive data and infrastructure secured from unauthorized users, a security policy is
developed by the system administrator of the organisation in other to control "who gets in", "who
does what" and "who sees what". This duty has seemed to be one of the difficult problems faced by
the admin and could turn out bad If not controlled properly (Kizza, 2009). However, due to
differences in geographical ... Show more content on Helpwriting.net ...
Access control is a process of monitoring information flow from unauthorized users with the aid of
some rules and methods and has been in practice for a long period of time. Access control is a
system that enforces demand or request to system data and resources through the means of
authorization. This policy has been a major issue in resource management since early 1960s ref.
with main objectives of protecting system resources from unauthorized users. In this report, some of
the types of access control models and the security threats they impose will be discussed below.
Discretionary Access Control (DAC) model is a user–based kind of policy due to its principle
allowing any user to alter any information and user's data in the system based on their needs. DAC
allows users to use their discretion to access files or programs in the system without following any
predetermined policies. This makes the system vulnerable to Trojan horse attacks and other form of
viruses which can lead to leakage of data and loss of information (Vincent C. Hu, 2006). This
approach of access control is not a reliable one for an administrator keen to secure sensitive
information. In the aspect of network outside the perimeter and mobile collaboration in distributed
environments, this model poses a lot of damage in the

Application Of Access Control System
Introduction
Access control is one of the earliest problems in computer security and remains a continuing
challenge. Access control component determines whether requests to access resources are granted.
1. Discretionary access control
In Discretionary Access Control any user can set an entrance control instrument to permit or deny
access to an object. DAC relies on the object proprietor to control access. It is generally executed in
most working frameworks, and is very familiar access control method. Flexibility is a strength of
DAC and a key motivation behind why it is broadly known and actualized in standard working
frame.
Unlike Mandatory Access Control (MAC) where access to framework assets is controlled by the
working framework ... Show more content on Helpwriting.net ...
A discretionary access control (DAC) arrangement is a method for appointing access rights in light
of tenets predetermined by clients. This class of approaches incorporates the record consents model
actualized by almost every single working framework. In Unix, for instance, a catalog posting may
yield "... rwxr–xr–x ... file.txt", implying that the proprietor of file.txt may read, compose, or
execute it, and that different clients may read or execute the document yet not compose it. The
arrangement of access rights in this case is {read, compose, execute}, and the working framework
intercedes all solicitations to perform any of these activities. Clients may change the consents on
documents they possess, making this an optional strategy.
A system actualizing a DAC approach must have the capacity to answer the inquiry: "Does subject S
have right R for item O?" Abstractly, the data expected to answer this inquiry can be spoken to as a
scientific connection D on subjects, protests, and rights: if (S, O, and R) is in D, then S has right R
for article O; generally, S does not. All the more basically, the same data could likewise be spoken to
as an entrance control network. Every column of the grid relates to a subject and every segment to
an article. Every cell of the framework contains an arrangement of rights.
Example file1 file2

FINAL Project IS3230
Project IS3230 Access Control Proposal Name: Rafiq Sabaoui Access control: type of access control
by which the operating system constrains the ability of a subject or initiator to access or generally
perform some sort of operation on an object or target. In practice, a subject is usually a process or
thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments,
IO devices etc. Subjects and objects each have a set of security attributes. Whenever a subject
attempts to access an object, an authorization rule enforced by the operating system kernel examines
these security attributes and decides whether the access can take place. Any operation by any subject
on any object will be tested against the set of ... Show more content on Helpwriting.net ...
Furthermore, too great a degree of granularity in classification levels can quickly become too
complex and expensive. There are several dimensions by which data can be valued, including
financial or business, regulatory, legal and privacy. A useful exercise to help determine the value of
data, and to which risks it is vulnerable, is to create a data flow diagram. The diagram shows how
data flows through your organization and beyond so you can see how it is created, amended, stored,
accessed and used. Don't, however, just classify data based on the application that creates it, such as
CRM or Accounts. This type of distinction may avoid many of the complexities of data
classification, but it is too blunt an approach to achieve suitable levels of security and access. One
consequence of data classification is the need for a tiered storage architecture, which will provide
different levels of security within each type of storage, such as primary, backup, disaster recovery
and archive –– increasingly confidential and valuable data protected by increasingly robust security.
The tiered architecture also reduces costs, with access to current data kept quick and efficient, and
archived or compliance data moved to cheaper offline

Access Control System : Access Controls System
Access Control System
The access control system is a fundamental way of reducing security problems and control the
access of people to a place. The purpose of the access control is to make sure that the right people
are only granted the access to the place. The control system will ensure the privilege for people to
access the building according to their rights and level. The control system monitor and record all the
activities regarding the access control to lock and unlock the building, detect when a pass card is
used and used when it has been declared lost. (Benantar, 2006)
Improving the security system of the dormitory is important by creating an access control system to
lock and unlock the doors automatically through an electronic device reader that will allow visitors
during entry and required personnel. To correct insecurity, it is very important that the security
system be improved to discover the visitors that came in and to only allow the required staffs into
the system. Hence, our objective is to create an access control system that open and close the door
automatically through an electronic reader.
The system should be connected with the security camera system to enhance effective operation.
The access control system would require that all visitors swipe their cards through the card reader
and the system would check if the information on the card matches with information in the database;
then, if a match is found, the door would open (Sandhu & Munawer, 2002).

The Importance Of IT Security
IT security
IT security also know as computer security or cyber security or Infosec, is the process of protecting
a computer system from the different types of theft or different types of damages to the hardware,
software or data stored in that system as well as from the interference or alteration of the services
provided by the system.
CIA triad's core objectives are considered for IT security programs: keeping the confidentiality,
integrity and availability secure of IT system and company data. These objectives protect the
important information or data from unauthorised parties (confidentiality), prevent modification of
data by unauthorised person (integrity) and assurance of accessibility of data by authorised person
on request ... Show more content on Helpwriting.net ...
They are no longer stick to access the business services within organisations. These services are
accessed by the customers, vendors and partners as well. Thus technology landscaping has given
versatility and productive environment to the business. Whilst it is providing advantages to the
organisations but it has some challenges as well related to data accessibility by unauthorised person
(Cowley, n.d.).
Access control is the method of identifying a person on the basis of his/her job roles and then
authenticates them on as per their identifications and after authentication giving them authority to
access the system. In an organisation, as per the information security system employees are granted
access as per their job roles and responsibilities and username and password are given to each
employee with different rights of system accessibility (read, write or edit) to do their jobs.
So, how these rights of system accessibility are given to the individual as per their job duties and
designation? This is where we used an access control model.
Access control models have four types:
Mandatory Access Control (MAC)
Role Based Access Control (RBAC)
Rule Based Access Control (RBAC or RB–RBAC).
In the Mandatory Access Control, or MAC model, the access control is given to only the owner and
custodian management. End user can not make any

Company Policy
Due in Week Nine: Write 3 to 4 paragraphs giving a bottom–line summary of the specific
measureable goals and objectives of the security plan, which can be implemented to define optimal
security architecture for the selected business scenario.
Sunica Music and Movies will be implementing the best and affordable security measure and
disaster recovery plan that is available. Our company will install the best firewall and security that
will ensure that our customers and our company data are protected. We seek to maintain and recruit
customers. We will always maintain confidentiality, availability, intertgity. By doing so, we shall and
will keep the best computer systems and security that is available. Our goals are to expand our
locations ... Show more content on Helpwriting.net ...
2 Integrity
Give a brief overview of how the policy will provide rules for authentication and verification.
Include a description of formal methods and system transactions.
Integrity keeps data pure and trustworthy by protecting system data from intentional or accidental
changes. Integrity has three goals to prevent unauthorized users from making modifications to data
or programs. To prevent authorized users from making improper or unauthorized modifications. To
maintain internal and external consistency of data and programs.
3 Availability
Briefly describe how the policy will address system back up and recovery, access control, and
quality of service.
Availability keeps data and resources available for authorized use, especially during emergencies or
disasters. This policy will address common challenges to availability. Denial of Service this is due to
intentional attacks or because of undiscovered flaws in implementation. The policy will address loss
of information system capabilities because of natural disasters. The policy will also focus on
equipment failures during normal use.
Disaster Recovery Plan
Due in Week Three: For your selected scenario, describe the key elements of the Disaster Recovery
Plan to be used in case of a disaster and the plan for testing the DRP.

1 Risk Assessment
1 Critical business processes
List the mission–critical business systems and services that

Role Based Access Controls
Role Based Access Controls
June 16, 2013
Professor M. Hansen
In order to establish system design controls that are directly related to the data input mechanism of a
network and in order to control data entry operations and prevent unauthorized access to information
or data; Role Based Access Controls (RBAC) are required. The basic principle of these controls is
that the data entry personnel, on any level, should be allowed limited access to only specific
information in order to get their jobs done. Because of higher data requirements, more data access
streams, higher employee turnover and outsourcing of data–entry processes there are many avenues
where data can acquired illegally from an outside source and within the organization ... Show more
In many applications, RBAC is concerned more with access to functions and information than
strictly with access to information. (Gupta, 2004)
The Common Criteria also note the following: "security policies defined for systems ... used to
process classified or other sensitive information must include provisions for the enforcement of
discretionary access control rules. That is, they must include a consistent set of rules for controlling
and limiting access based on identified individuals who have been determined to have a need–to–
know for the information." (Kim, 2012) The date input control is another challenge, When you have
several people entering data in your database, you can define how users must enter data in specific
fields to help maintain consistency and to make your database easier to manage. Role based input
control provides data input control. Free text input control, though unavoidable in forms that need
information from the user; should avoid using text boxes and text areas as much as possible. It can
be difficult for the user to enter content into free text input controls such as text boxes and text areas.
Instead, rely on radio buttons, select boxes, and even lists of links. Check boxes are a commonly
used input control; a check box is a small square box that allows the user to select an item or to
deselect it. The user makes this decision by clicking in the small square box. The control is normally
configured with the square box being white

Database Security And Protection, Sql Injection...
Database security and protection is a significant concern for organizations across the world,
evidenced by the number of reported incidents with regards to unauthorized exposure to sensitive
information. As the amount of data that organizations collect, retain and share continues to escalate,
so does the importance of having a strong database security. The Privacy Rights Clearinghouse, a
website that keeps track of data breaches that were reported by companies, according to its research
more than 159 million records were breached in 2015 through the course of 226 separate breach
events. With the loss of unprotected data, can result in steep expenses for a company such as legal
fees, call centers, customer losses, and the ambiguous amount of bad publicity. A Forrester Research
survey concluded that an average security breach can cost a company between $90 and $305 per lost
record. Given the increase number of data breaches, there is a corresponding need to properly plan
ways to better protect and monitor the database systems through access control, SQL injection
prevention, and encryption of data.
Access control allows specific users either privileges or restriction of access to objects in a database
system. A Data Base Administrator (DBA) must take in specific consideration pertaining to which
users can see what tables, and perform certain data actions among those specific tables. Access
control can be defined in three ways: Mandatory Access Control (MAC), Discretionary

Cloud Computing Is The Delivery Of On Demand Computing...
Cloud computing is the delivery of on–demand computing resources which include everything from
applications to data centers over the Internet on a pay–for–use basis. Cloud computing is the result
of evolution and adoption of existing technologies and paradigms. The goal of cloud computing is to
allow users to take beneﬁt from all of these technologies, without the need for deep knowledge
about or expertise with each one of them. The cloud aims to cut costs, and help the users focus on
their core business instead of being impeded by IT obstacles Cloud computing is so named because
the information being accessed is found in the "clouds", and does not require a user to be in a
specific place to gain access to it. The services are offered from data centers all over the world,
which collectively are referred to as the "cloud." The idea of the "cloud" is to simplify the huge
network connections and computer systems involved in online services. Cloud computing is a
computing model, not a technology. In this model of computing, all the servers, networks,
applications and other elements related to data centers are made available to IT and end users. Cloud
computing is a type of computing that is comparable to grid computing. It relies on sharing
computing resources rather than having local servers or personal devices to handle applications.
Access control is generally a policy or a procedure that allows, denies or restricts access to a system.
It also monitors

The Inevitability Of Failure Summary
Summary of Article "The Inevitability of Failure: The Flawed Assumption of
Security in Modern Computing Environments"
The article, which addresses security loopholes in modern computing environments, by Loscocco et
al highlights what is and has been being done security wise in the past and how secure these
implementations were and going forward what should be done to ensure in depth security which
guarantees system wide security (1998). The article first explains features of secure operating
system and why current systems implemented under the notion of application space security
ultimately failed to safe guard the integrity and confidentiality of our assets. The article then
continued with general examples of access control and cryptography implemented in the application
space with no or little support from operating system and showed their vulnerabilities to attacks
such as tampering, bypassing and spoofing. The article supplied real–life examples to support the
evidence that building security in the application space without secure operating system is
meaningless. The article raised concrete examples on mobile code security, Kerberos network
authentication service, IPSEC and SSL network security protocols and firewall. The paper finally
put an interesting remark that security implemented in application space without secure operating
system is like "building a house in a pile of sand" and it also emphasized that secure operating
system without better security on the

Nt1330 Unit 3
1) The response "sensitive value; response suppressed" is itself a disclosure. Suggest a manner in
which a database management system could suppress responses that reveal sensitive information
without disclosing that the responses to certain queries are sensitive.
It is every company mandatory requirement to make sure sensitive data is protected from public
access at all times. In large organization sensitive information such as employee salary and
performance should be kept confidential from most of the DBA users. For this DBMS uses database
security and authorization subsystems that is responsible for security to the portions of database or
to restrict the access to the sensitive information.
Below are some of the methods of database security ... Show more content on Helpwriting.net ...
So, classified or sensitive information can be only access by the people who have that level of
security clearance.
– DBA security – Controlling the access on the DB level can also serve as a mechanism to protect
sensitive data. In this type, there is always an administrator who controls the process of Account
creation, granting access, revoking roles and assigning appropriate security level assignment.
If a user wants to extract data and if it contains sensitive information, the DBMS should mention an
user friendly error message like "Cannot have access to this data" so that user will not try to dig the
information further.
2) Cite a situation in which the sensitivity of an aggregate is greater than that of its constituent
values. Cite a situation in which the sensitivity of an aggregate is less than that of its constituent
values. Example where aggregate data is having higher sensitivity can be easily found in the case of
financial transaction. An individual transaction may have little importance or significance on its
own. However collected history of transactions could reveal underlying pattern, other proprietary
information or even illegal

CIS 210
CASE STUDY 1
Building an Access Control System
As a member of the Information Security team at a small college, you have been made the project
manager to install an access control system (ACS) in a dormitory. The ACS will automatically
unlock the dormitory doors via an electronic proximity reader and integrate with an existing security
camera system. The cameras are designed to face and rotate to record a person as they use their
identification card to unlock the door.
Create a 3–4 page project plan for this project in which you:
Include a one–half page project scope statement.
Define five (5) major tasks, each with one to two (1–2) subtasks. Also write a brief description for
each task.
Create a Gantt chart illustrating the ... Show more content on Helpwriting.net ...
The non–functional requirements are the attributes of the system; these include: reliability,
performance, cost, system quality attributes, and the challenges encountered during installation.
Steps of Implementing the Project
To complete the installation, the following steps would be accomplished to successfully install the
access control system.
Analysis
The analysis of the problem should take a day. At the analysis stage we determine the solution. The
solution has been identified as the installation of the access control system. At this stage the system
parts are identified; they include input, output, communication devices, power supplies, detection
devices, intelligent panels, card readers, lock hardware, the actions and the response of the system in
case of violation of the input requirements or failure of the system.
Design
The design of the access control system involves coming up with ways of creating or installing the
access control system. The phase should take two days. The system would have a security camera
controlled by a proximal card reader when the actions are triggered. After completing the design of
the system, the identified materials and hardware are to be purchased from various stores.
Programming
The computers controlling the security camera in the control center will be reprogrammed to ensure
they can control the access control system installed in the doors. The relevant

Access Controls Provide A Mechanism
Introduction
Access Controls provide a mechanism, which allows an administrator to ensure that appropriate
techniques are in place to control how users interact with an IT system. It provides an avenue where
restrictions can be developed, specifying what a user can do, the resources they can access, and the
functions they can execute on a system. It is aligned with the three main security principles;
confidentiality, integrity and availability. This alignment ensures that data and resources within an
IT system will remain confidential as required, the structure will remain intact and these objects will
remain available, so as not to diminish the functionality of the system. Access controls that are
incorporated into a security plan are ... Show more content on Helpwriting.net ...
One of the difficulties in managing this access arises from the need to provide a variety of user's
access, each requiring a different type of access to the system. For the sake of security, the need to
manage this access should be defined by one or more of the following frameworks; Role Based
Access Control (RBAC), Discretionary Access Controls (DAC), Mandatory Access Control (MAC),
and Mandatory Access Control (MAC).
Statement of Purpose
The current state of the organization's access control management system is consistent with that of
the DAC model. A recent move to outsource certain business practices and continued organizational
growth has created an environment where increases in employee hiring's and employee turnover are
inevitable. An analysis of various methods of access control has been requested, so that we can
better understand how specific access control attacks are perpetrated and their origin. Information
will be collected and then analyzed in order to substantiate any recommended changes to the current
access control configurations. RBAC, DAC, and MAC will be compared and contrasted, in order to
gain insight, as to how each plays a role in reducing the risk to a system, along with identifying the
strengths and weaknesses of each. These results, along with a detailed recommendation will be
presented to executive management, in order to generate the necessary support for altering the
current program

Data Security And The Security

More Related Content

Similar to Data Security And The Security (20)

More from Rachel Phillips (20)

Recently uploaded (20)

Data Security And The Security