We may earn an affiliate commission when you visit our partners.
(ISC)² Education & Training
Course 2: Understanding Risk Management Options and the Use of Access Controls to Protect Assets
Read more
Course 2: Understanding Risk Management Options and the Use of Access Controls to Protect Assets
Read more
Course 2: Understanding Risk Management Options and the Use of Access Controls to Protect Assets
In this course, we will focus on understanding risk management options and the use of access controls to protect assets. We will start by examining the basic steps that must be in place to develop a security culture within the organization and impacting policies. We will also look into how to write and use them to enforce security requirements. Then we will move on to the actual business of controlling how our systems, services, resources, and data can be accessed safely by authorized persons. We will also cover access control models like MAC, DAC, RBAC, and conclude the chapter with an examination of both LAN and WAN identity management.
Course 2 Learning Objectives
After completing this course, the participant will be able to:
L2.1 - Provide examples of the types of functional security controls and policies for identified scenarios.
L2.2 - Classify various access control models.
L2.3 - Identify components of identity management lifecycle.
L2.4 - Recognize access control and authentication methods.
Course Agenda
Module 1: Document, Implement, and Maintain Functional Security Controls (Domain 1 - Security Operations and Administration)
Module 2: Access Controls Models (Domain 1 - Security Operations and Administration, Domain 2 - Access Controls)
Module 3: Identity Management Lifecycle (Domain 2 - Access Controls)
Module 4: Implement and Maintain Authentication Methods (Domain 2 - Access Controls, Domain 6 - Network and Communication Security)
Who Should Take This Course: Beginners
Experience Required: No prior experience required
Register for this course and see more details by visiting:
OpenCourser.com/course/f61928/risk
Three deals to help you save
We found three deals and offers that may be relevant to this course.
Save money when you learn.
All coupon codes, vouchers, and discounts are applied automatically unless otherwise noted.
Valid until December 12
Annual Subscription Savings
Unlock programs from Google, Microsoft, and IBM and join 77% of learners who reported positive career outcomes.
Only $239!
Valid for a limited time only
Future-proof your career
Access O'Reilly books, live events, courses, and more. Save with an annual subscription.
Take
15%
off
What's inside
Syllabus
Module 1: Document, Implement, and Maintain Functional Security Controls
In this module we are going to start looking at the pieces that make up a security program. Now that we have examined the process of risk management, we have the information needed to justify the controls and other actions taken to secure and protect the assets of the organization. The core principle of information security must be remembered, which is that security exists solely for the purpose of supporting and enabling the business mission. Our goal as security professionals is not just to be secure but rather to secure the business. Our organizations do not hire us because they are really interested in security; they hire us because management realizes that security is necessary in order for the business to survive.
Senior managers and leaders within the organization focus on achieving efficient use of every resource they have available to them, so that they can maximize the organization’s effectiveness within the marketplaces it serves. Whether it is a for-profit business, a nonprofit organization, or a government agency, the organization (in the words of the motto of the UK’s Royal Air Force Police) has to survive to operate. It has to control the losses due to inefficient business processes, bad weather or criminal attacks. Simply put, information security that minimizes losses and protects high-value assets, processes, goals, and objectives pays for itself, and thus commands support and resources from senior management. Security efforts that do not directly support defending those priorities won’t.
The explosive growth in cyber fraud activities during the pandemic of 2020-2021 and the increase in ransomware and other attacks alike demonstrates how the attackers are learning faster than the defenders. Let’s turn that around, starting with how we think about turning security needs and requirements into effective control strategies.
Read more
Syllabus
Module 1: Document, Implement, and Maintain Functional Security Controls
In this module we are going to start looking at the pieces that make up a security program. Now that we have examined the process of risk management, we have the information needed to justify the controls and other actions taken to secure and protect the assets of the organization. The core principle of information security must be remembered, which is that security exists solely for the purpose of supporting and enabling the business mission. Our goal as security professionals is not just to be secure but rather to secure the business. Our organizations do not hire us because they are really interested in security; they hire us because management realizes that security is necessary in order for the business to survive.
Senior managers and leaders within the organization focus on achieving efficient use of every resource they have available to them, so that they can maximize the organization’s effectiveness within the marketplaces it serves. Whether it is a for-profit business, a nonprofit organization, or a government agency, the organization (in the words of the motto of the UK’s Royal Air Force Police) has to survive to operate. It has to control the losses due to inefficient business processes, bad weather or criminal attacks. Simply put, information security that minimizes losses and protects high-value assets, processes, goals, and objectives pays for itself, and thus commands support and resources from senior management. Security efforts that do not directly support defending those priorities won’t.
The explosive growth in cyber fraud activities during the pandemic of 2020-2021 and the increase in ransomware and other attacks alike demonstrates how the attackers are learning faster than the defenders. Let’s turn that around, starting with how we think about turning security needs and requirements into effective control strategies.
Read more
Module 2: Access Controls Models
It could be argued that access controls are the heart of an information security program. Earlier in this course we have looked at the foundation of security through risk management and policy, and the leadership of information security through management involvement and strategic planning, but in the end, security all comes down to “who can get access to our assets (buildings, data, systems, etc.) and what can they do when they get access?”
Access controls are not just about restricting access, but also about allowing access. It is about granting the correct level of access to authorized personnel and processes but denying access to unauthorized functions or individuals.
Module 3: Identity Management Lifecycle
This part of the course examines the process of identity management. Identity management (IM) is often described using the IAAA model (sometimes called the AAA model). This represents the steps of identification, authentication, authorization, and accounting (sometimes incorrectly called audit; we’ll see why as we go along). Identity management includes establishing, maintaining, and removing identities on our systems. Access control focuses on the real-time tasks necessary to validate that an attempt to access a resource is being done by a recognized, accepted entity using an identity known to the system, and that the attempt is seeking to use privileges that are appropriate and valid for that entity, that resource, and current circumstances.
Prior to the widespread use of web pages that allow site visitors to create an account (an identity) on that host system, most security professionals and organizational managers thought of IM and AAA as happening on two very different time scales, or as driven by two very different types of events:
IM activities were viewed as being driven by large-scale events, such as joining the organization, going through a major change in roles or job responsibilities, and then leaving the organization.
AAA activities then occur on a real-time basis with every connection (sign-on) attempt and every access request to resources made by any one of the accounts and user IDs created for that person.
As the concept of identity management has had to expand to include nonhuman users and entities, this view of IM and AAA time horizons has changed in related ways. A company hires human users and acquires endpoints or server devices. It signs partnership agreements with other organizations to set up federated access control mechanisms so that both can share information assets in controlled, secure ways. Each of these are IM activities that happen once (or a few times) in the lifecycle of that entity’s relationship with the organization. And just as a human user might go through a thousand resource access attempts during a single workday (or even in a short session), so too might a nonhuman entity performing its assigned or allowed tasks.
Module 4: Implement and Maintain Authentication Methods
The implementation of access management contains its own challenges. Audits in many organizations often reveal that the identity management processes used are flawed, resulting in many users who have access permissions that they have accumulated over the years that are not aligned with their current business needs. This is a problem where privacy regulations require accountability and tracking of access permissions, and it can lead to financial penalties, security breaches, and embarrassment for the organization. The idea of an identity and access management (IAM) system is to automate the process and reduce the administrative overhead, while improving reporting and the ability to monitor the access levels granted to users. Some of the features of IAM systems include an automated process for users to request and be granted access to systems, a streamlined process for new users and for password resets.
Module 5: Chapter 2 Review
It’s not an exaggeration to say that access control is the heart of the information systems security problem. Everything we do as security professionals drives down to this problem set; risk management sets requirements for access control to achieve, and the design, configuration, and operation of the information infrastructures the organization uses must reflect the access control decisions that have been made.
Access control technologies may very well represent the most hotly contested “real estate” in the battle between cyber defenders and cyberattackers.
This chapter has provided you with a rich, detailed, and in-depth orientation and introduction to many aspects of the access control need and problem, while it has also shown you ways to solve that problem and address that need.
Good to know
Good to know
Know what's good ,
what to watch for , and
possible dealbreakers
Useful point of entry for foundational understanding of data protection and access control
Provides a suitable starting point for beginners to develop a foundational understanding of data protection and access control
May require additional learning to develop practical skills
Prerequisites or prior experience may be necessary for deeper understanding
Suitable for beginners with no prior experience or knowledge in data protection and access control
May provide a foundational understanding of data protection and access control for those in non-technical roles
Save this course
Save Risk Management: Use of Access Controls to Protect Assets to your list so you can find it easily later:
Save
Save
Activities
Be better prepared
before
your course. Deepen your understanding
during
and
after
it. Supplement your coursework and achieve mastery of the topics covered
in Risk Management: Use of Access Controls to Protect Assets with these
activities:
Review ISO 27002 Standard on Access Control
Show steps
Reviewing the ISO 27002 standard will provide a comprehensive overview of best practices for access control.
Browse courses on
ISO 27002
Show steps
-
Obtain a copy of the ISO 27002 standard.
-
Read the sections on access control.
-
Take notes on the key concepts and requirements.
Volunteer at a Cybersecurity Event
Show steps
Volunteering at an event will introduce you to the latest trends and technologies in cybersecurity, access control and identity management in particular.
Browse courses on
Access Controls
Show steps
-
Find a cybersecurity event in your area.
-
Contact the event organizers and offer to volunteer.
-
Attend the event and participate in the activities.
-
Network with other cybersecurity professionals.
Configure Access Control on a Network Device
Show steps
Configuring access control on a network device will provide hands-on experience with implementing a critical security control.
Browse courses on
Access Controls
Show steps
-
Identify the network device you want to configure.
-
Log in to the device's configuration interface.
-
Navigate to the access control settings.
-
Configure the access control settings according to your organization's security policy.
-
Save the configuration changes.
Five other activities
Expand to see all activities and additional details
Show all eight activities
Compile a List of Identity Management Best Practices
Show steps
Creating a compilation of best practices will provide you with a valuable reference guide for securing your organization's identity management system.
Browse courses on
Identity Management
Show steps
-
Research identity management best practices from reputable sources.
-
Compile a list of the most relevant and applicable best practices.
-
Share the list with your team or organization.
Configure Access Control Lists (ACLs)
Show steps
Following tutorials on configuring ACLs will give you practical experience with implementing an important access control mechanism.
Browse courses on
Access Control Lists
Show steps
-
Find a tutorial on configuring ACLs for your operating system or platform.
-
Follow the steps in the tutorial to configure ACLs for a specific resource.
-
Test the ACLs to ensure they are working as intended.
Develop a Security Control Policy
Show steps
Drafting a custom security policy will help you better understand how to develop and implement security controls within an organization.
Browse courses on
Security Policy
Show steps
-
Identify the scope and objectives of the security policy.
-
Conduct a risk assessment to identify potential threats and vulnerabilities.
-
Develop a list of security controls to mitigate the identified risks.
-
Write the security policy document.
-
Obtain approval for the security policy from management.
Practice Auditing Access Logs
Show steps
Regularly reviewing and analyzing access logs can help you detect and prevent security breaches.
Browse courses on
Access Controls
Show steps
-
Collect access logs from your systems.
-
Use a log analysis tool or service to parse and analyze the logs.
-
Identify any suspicious or unusual activity.
-
Take action to investigate and mitigate any identified threats.
Participate in a CTF Competition
Show steps
Participating in CTF competitions will test your access control knowledge and skills in a fun and challenging environment.
Browse courses on
Access Controls
Show steps
-
Find a CTF competition that is relevant to your interests.
-
Register for the competition.
-
Form a team or participate individually.
-
Solve the challenges and earn points.
-
Have fun and learn!
Review ISO 27002 Standard on Access Control
Show steps
Reviewing the ISO 27002 standard will provide a comprehensive overview of best practices for access control.
Browse courses on
ISO 27002
Show steps
Show steps
Show steps
- Obtain a copy of the ISO 27002 standard.
- Read the sections on access control.
- Take notes on the key concepts and requirements.
Volunteer at a Cybersecurity Event
Show steps
Volunteering at an event will introduce you to the latest trends and technologies in cybersecurity, access control and identity management in particular.
Browse courses on
Access Controls
Show steps
Show steps
Show steps
- Find a cybersecurity event in your area.
- Contact the event organizers and offer to volunteer.
- Attend the event and participate in the activities.
- Network with other cybersecurity professionals.
Configure Access Control on a Network Device
Show steps
Configuring access control on a network device will provide hands-on experience with implementing a critical security control.
Browse courses on
Access Controls
Show steps
Show steps
Show steps
- Identify the network device you want to configure.
- Log in to the device's configuration interface.
- Navigate to the access control settings.
- Configure the access control settings according to your organization's security policy.
- Save the configuration changes.
Five other activities
Expand to see all activities and additional details
Show all eight activities
Compile a List of Identity Management Best Practices
Show steps
Creating a compilation of best practices will provide you with a valuable reference guide for securing your organization's identity management system.
Browse courses on
Identity Management
Show steps
Show steps
Show steps
- Research identity management best practices from reputable sources.
- Compile a list of the most relevant and applicable best practices.
- Share the list with your team or organization.
Configure Access Control Lists (ACLs)
Show steps
Following tutorials on configuring ACLs will give you practical experience with implementing an important access control mechanism.
Browse courses on
Access Control Lists
Show steps
Show steps
Show steps
- Find a tutorial on configuring ACLs for your operating system or platform.
- Follow the steps in the tutorial to configure ACLs for a specific resource.
- Test the ACLs to ensure they are working as intended.
Develop a Security Control Policy
Show steps
Drafting a custom security policy will help you better understand how to develop and implement security controls within an organization.
Browse courses on
Security Policy
Show steps
Show steps
Show steps
- Identify the scope and objectives of the security policy.
- Conduct a risk assessment to identify potential threats and vulnerabilities.
- Develop a list of security controls to mitigate the identified risks.
- Write the security policy document.
- Obtain approval for the security policy from management.
Practice Auditing Access Logs
Show steps
Regularly reviewing and analyzing access logs can help you detect and prevent security breaches.
Browse courses on
Access Controls
Show steps
Show steps
Show steps
- Collect access logs from your systems.
- Use a log analysis tool or service to parse and analyze the logs.
- Identify any suspicious or unusual activity.
- Take action to investigate and mitigate any identified threats.
Participate in a CTF Competition
Show steps
Participating in CTF competitions will test your access control knowledge and skills in a fun and challenging environment.
Browse courses on
Access Controls
Show steps
Show steps
Show steps
- Find a CTF competition that is relevant to your interests.
- Register for the competition.
- Form a team or participate individually.
- Solve the challenges and earn points.
- Have fun and learn!
Career center
Learners who complete Risk Management: Use of Access Controls to Protect Assets will develop knowledge and skills
that may be useful to these careers:
Information Security Analyst
Information Security Analyst
In this role, your primary duty involves analyzing and interpreting data to calculate risk. This course provides a great basis for this kind of work by helping you understand risk management options and the use of access control. Once hired, you will likely work closely with IT and security teams to identify vulnerabilities in computer systems and networks. Those without this foundational knowledge often face difficulty in understanding security policies and procedures.
Security Consultant
Security Consultant
As a Security Consultant, you would be responsible for advising clients on how to improve their security posture. This course will help you build a foundation in risk management, access controls, and identity management - all of which are critical to the role of a Security Consultant.
IT Auditor
IT Auditor
IT Auditors are responsible for ensuring that an organization's IT systems and processes are in compliance with regulatory requirements. This course provides a comprehensive overview of access controls, which are essential for protecting an organization's IT assets.
Risk Manager
Risk Manager
Risk Managers are responsible for identifying, assessing, and mitigating risks to an organization. This course provides a solid foundation in risk management, which is essential for success in this role.
Security Architect
Security Architect
Security Architects design and implement security solutions for organizations. This course provides a comprehensive overview of access controls, which are a critical component of any security architecture.
Cybersecurity Analyst
Cybersecurity Analyst
Cybersecurity Analysts are responsible for monitoring and protecting an organization's IT systems and networks from cyberattacks. This course provides a solid foundation in access controls, which are essential for protecting an organization's IT assets.
Network Security Engineer
Network Security Engineer
Network Security Engineers are responsible for designing, implementing, and maintaining an organization's network security infrastructure. This course provides a comprehensive overview of access controls, which are essential for protecting an organization's network.
Security Operations Center (SOC) Analyst
Security Operations Center (SOC) Analyst
SOC Analysts are responsible for monitoring and responding to security incidents. This course provides a solid foundation in access controls, which are essential for protecting an organization's IT assets.
Incident Responder
Incident Responder
Incident Responders are responsible for investigating and responding to security incidents. This course provides a solid foundation in access controls, which are essential for understanding how to prevent and mitigate security incidents.
Penetration Tester
Penetration Tester
Penetration Testers are responsible for identifying vulnerabilities in an organization's IT systems and networks. This course provides a solid foundation in access controls, which are essential for understanding how to test for and exploit vulnerabilities.
Malware Analyst
Malware Analyst
Malware Analysts are responsible for analyzing and identifying malware. This course provides a solid foundation in access controls, which can help you understand how malware can bypass security controls and infect systems.
Forensic Analyst
Forensic Analyst
Forensic Analysts are responsible for investigating and analyzing evidence of cybercrimes. This course provides a solid foundation in access controls, which can help you understand how to collect and analyze evidence of cybercrimes.
Security Engineer
Security Engineer
Security Engineers are responsible for designing, implementing, and maintaining an organization's security infrastructure. This course provides a solid foundation in access controls, which are essential for designing and implementing a secure infrastructure.
Chief Information Security Officer (CISO)
Chief Information Security Officer (CISO)
CISOs are responsible for overseeing an organization's overall security program. This course provides a comprehensive overview of risk management, access controls, and identity management - all of which are critical to the role of a CISO.
Information Security Manager
Information Security Manager
Information Security Managers are responsible for managing an organization's information security program. This course provides a comprehensive overview of risk management, access controls, and identity management - all of which are critical to the role of an Information Security Manager.
For more career information including salaries, visit:
OpenCourser.com/course/f61928/risk
Reading list
We've selected ten books
that we think will supplement your
learning. Use these to
develop background knowledge, enrich your coursework, and gain a
deeper understanding of the topics covered in
Risk Management: Use of Access Controls to Protect Assets.
Provides a comprehensive overview of access control and identity management, covering topics such as access control models, authentication methods, and identity management best practices. It valuable resource for anyone looking to learn more about this important topic.
Save
Provides a comprehensive overview of information security, covering topics such as security policies, security controls, and security management. It valuable resource for anyone looking to learn more about this important topic.
Save
Provides a comprehensive overview of network security, covering topics such as network attacks, network defense, and network security tools. It valuable resource for anyone looking to learn more about this important topic.
Is the official study guide for the CISSP certification exam. It provides a comprehensive overview of information security, covering topics such as security policies, security controls, and security management. It valuable resource for anyone looking to obtain the CISSP certification.
Provides a comprehensive overview of the security controls for federal information systems and organizations. It valuable resource for anyone looking to implement these security controls in their organization.
Provides a comprehensive overview of security in computing, covering topics such as security threats, security mechanisms, and security management. It valuable resource for anyone looking to learn more about this important topic.
Save
Provides a unique perspective on information security, focusing on the human element of security. It valuable resource for anyone looking to learn more about how to protect information systems from social engineering attacks.
Save
Provides a comprehensive overview of social engineering, covering topics such as social engineering techniques, social engineering tools, and social engineering countermeasures. It valuable resource for anyone looking to learn more about this important topic.
Provides a comprehensive overview of information security risk management, covering topics such as risk identification, assessment, and mitigation. It valuable resource for anyone looking to learn more about this important topic.
Provides a fascinating look at the psychology of security, focusing on how human behavior affects information security. It valuable resource for anyone looking to learn more about this important topic.
For more information about how these books relate to this course, visit:
OpenCourser.com/course/f61928/risk
Share
Similar courses
Here are nine courses similar to
Risk Management: Use of Access Controls to Protect Assets.
Introduction to Cloud Identity
OpenCourser.com/course/oels84/introduction
Introduction to Cloud Identity
Most relevant
Access Controls for SSCP®
OpenCourser.com/course/eexg1c/access
Access Controls for SSCP®
Most relevant
Security Operations and Administration for SSCP®
OpenCourser.com/course/dt53hm/security
Security Operations and Administration for SSCP®
Most relevant
Access Control Concepts
OpenCourser.com/course/sm8lii/access
Access Control Concepts
Most relevant
CISSP - The Complete Exam Guide
OpenCourser.com/course/sa0a26/cissp
CISSP - The Complete Exam Guide
Most relevant
Identity and Access Management (IAM) for CISSP®
OpenCourser.com/course/l7yzg7/identity
Identity and Access Management (IAM) for CISSP®
Most relevant
Introduction to IT Security
OpenCourser.com/course/6h6b9u/introduction
Introduction to IT Security
Most relevant
Introducing Security: Aligning Asset and Risk Management
OpenCourser.com/course/1dr06j/introducing
Introducing Security: Aligning Asset and Risk Management
Most relevant
Identity and Access Management: The Big Picture
OpenCourser.com/course/86dl4g/identity
Identity and Access Management: The Big Picture
Most relevant
Level
Introductory
Via
Coursera
Institution
ISC2
Instructor
(ISC)² Education & Training
Language
English
Transcripts
Español
Français
Português
Deutsch
Italiano
中文
العربية
한국어
日本語
हिंदी
Nederlands
Svenska
Pусский
Türkçe
Polski
Ελληνικά
українська мова
Bahasa Indonesia
ไทย
қазақша
This course belongs to a
collection
called
(ISC)² Systems Security Certified Practitioner (SSCP) . It's comprised of seven courses:
- Securing Software, Data and End Points
- Maturing Risk Management
- Incident Detection and Response
- Cloud and Wireless Security
- Introducing Security: Aligning Asset and Risk Management
- Risk Management: Use of Access Controls to Protect Assets (viewing)
- Networks and Communications Security
Good to know
Useful point of entry for foundational understanding of data protection and access control
Provides a suitable starting point for beginners to develop a foundational understanding of data protection and access control
May require additional learning to develop practical skills
Prerequisites or prior experience may be necessary for deeper understanding
Suitable for beginners with no prior experience or knowledge in data protection and access control
May provide a foundational understanding of data protection and access control for those in non-technical roles
Our mission
OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.
Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.
Find this site helpful? Tell a friend about us.
Affiliate disclosure
We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.
Your purchases help us maintain our catalog and keep our servers humming without ads.
Thank you for supporting OpenCourser.
© 2016 - 2024 OpenCourser