CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers access control via authorization and auditing. Authorization is about the rights and permissions that a subject has after authentication. It is the principle of least privilege and about giving information on a need to know basis. This lesson also discusses auditing and authentication as a way to have access control, as well as centralized and hybrid administration.

Video Transcription

00:04
our next step is gonna be authorization and authorization is all about what sort of rights permissions privileges I have based on having authenticated previously. Now again, I cannot stress enough the importance of utilizing two key concepts need to know in principle of Lise privilege
00:23
it wasn't all that long ago that I worked in a company that had about eight people.
00:27
Everybody in the office literally had administrative credentials. Why? Because we gotta do stuff. We might need him down the line as not following the principles of need to know in lease privilege. So what I want to make sure is that individuals have just the rights and permissions they need to do their job.
00:45
I also have to watch for what we call authorization creep because what happens with authorization creep is
00:52
let's say that I'm a custodian at building A so I get the keys to building a
00:57
well.
00:58
A few months later, they need me in building B. So I get the keys to building B.
01:02
A few months later, I moved to building C and I get the keys for building C.
01:06
What's missing from that picture is now I have three sets of building keys and I don't need them. That happens with rights and permissions. As you move from department to department, your rights may follow you. Your permissions may follow you. So we want to make sure that we have policies in place
01:22
to regularly review accounts, especially those with administrative credentials or elevated credentials,
01:27
and make sure that users aren't accumulating these rights and permissions.
01:33
Final step auditing. And we'll talk more about auditing in the next chapter where we're looking to review. And we're looking to make sure that our policies are being followed our policies air working. Ah, that they're properly enforced.
01:47
Ah, we could talk about auditing firewalls, auditing servers, but also auditing physical access to the building.
01:53
You know, any policy, any procedure that's in place can be audited. We want to make sure things were performing and the word conformance conformance to standards. That's all about auditing. Management review might be a good idea of the results of the audit.
02:12
What's happened? Eyes are security policy is a whole working.
02:15
We want to make sure that we have scheduled audits
02:19
and at least once per year, you know, honestly, the best answer is at least once per year or as risks change because you and I know this is not a static industry in which we work. Things were changing. They're always in a state of fluctuation. So if we take on new risk,
02:36
we've got to go back. And we've got examine our mitigation strategies and make sure that they're working as well
02:40
again making sure that we're in alignment with the business objectives. If you're getting the feeling that for this exam, if there's an answer that says to align with the objectives of the business, that's gonna be the correct answer. And that's absolutely right. And what we always go back to is, What is I, sacha trying to teach us with this exam?
03:00
And what they're trying to make sure is that we
03:02
in risk management understand our value to the company is driven by. Do we make good decisions? Do we bring our organization in alignment with where they want to be against strategic objectives? Overall vision of the organization? You know, I've made myself a lot happier in the workplace
03:23
by realizing
03:23
I'm just a cog in the machine.
03:25
I'm just here to support the machine and as I bring more value to the organization, I become more valuable to them. That's what it's all about. A couple of different types of ways to authenticate, authenticate centrally, or we can have decentralized authentication on. Really, you don't have to say this authentication. You could say
03:46
central access control or decentralized access control
03:50
and really, with any type of management strategies. You asked that question. Dharam. Wanna handle this centrally, or do I want it to be decentralized? Well, when you choose centralization, you get a couple of things and these air big benefits, you get greater control.
04:03
Think about security policy within an organization. I can have everybody authenticate at a domain controller
04:11
work. I could have them authenticate locally and share out files from their system.
04:15
It's too cumbersome, right? Every time you want to access the system, this goes back to peer to peer network days. You have to provide log in credentials. We don't want to do that
04:24
so users log on to a domain controller. They get an authentication token,
04:28
Um, and when they go to access a resource, that token is compared up against the access control list they're granted or allowed or denied access
04:38
centralization. I get greater control. I get greater security, I get greater consistency. Very valuable.
04:46
Decentralization gives me flexibility and granularity and what to watch for on the exam more closely aligned with business unit needs.
04:58
Hey, that's the phrase that you want for the test. And what they mean is, let's say the sales team has one set of requirements. The accounting team has another. The production team has another. So if I let each entity manage at least a portion of their security a portion of their user accounts, whatever,
05:17
they're able to make sure that they have their needs met Exactly.
05:21
Now, I don't mean the whole accounting team is an administrator, but I might delegate administrative privileges to the head of sales or just someone representing the sales team. I hope that makes sense. Decentralization gives me closer alignment with my business units.
05:36
The truth is somewhere in the middle. Like most things eso, we have crucial security policy within our organization, pushed out from Central. And then we have those more particular nuanced things that go to department to department as decentralized. So we call that a hybrid,
05:56
and that's the way most organizations or run.
05:58
Um,
06:00
the bottom line that I would stress is neither is right nor wrong. It's given based on any given situation.
06:05
Okay, so that's access control centralized, decentralized versus hype.

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor