[Kelly Crooks]

I agree with what you responded to my post as well as what you posted in your own discussion of SSO. In my own business, I have several hundred sites I access using a front computer, office computer, iPad as well as my phone. Having a single sign-on not only saves me time from having to sign in each and every time but also saves me from having to remember all the passwords and usernames associated with each site. I do have to remember to sign out every night and I have also implemented screen passwords on both computers, just as an added step of security.

[Kelly Crooks]

Marcena, great post. There are certain things I never really considered with IT, like the human resource side of the field. I guess when I think about IT and systems security officers I don’t necessarily consider the policies and procedures and who implements and designs them. I should have considered that since that is what my brother does now. He writes and implements security protocols, policies, and procedures for an underground lab. I agree with what you said about the Triad of information security is a fundamental concept. Making sure that a company’s data is protected is crucial and it is important to have the confidence of the stakeholders.

[Kelly Crooks]

Marcena, nice to be in class with you again! I remember a bit of this information from one of my previous courses. Do you have experience with risk management in IT? Really the only experience that I have with risk management asserts, and threats are keeping my company information and customer information safe when I enter into the POS program and Quickbooks. Even though I only have one location there are several controls that I have in place to keep that information and data safe, especially because I switched over to cloud-based storage.

[Kelly Crooks]

RADIUS- Remote Authentication Dial-In User Service.

Pros:
RADIUS is open-source and readily available
RADIUS utilizes the client/server model to authenticate and authorize users
Radius allows for unique credentials for each user
RADIUS passwords do not routine changing
RADIUS allows IT admins to have one point of contact for user management
RADIUS makes it easier to control who or what has access

Cons:
RADIUS uses connectionless protocol using UDP
RADIUS maintenance can be difficult and time-consuming
RADIUS initial setup can be difficult
RADIUS setup can be complicated
RADIUS can be hard to know which version is best to choose
RADIUS has options that can be costly and require long-term commitments

Some of RADIUS’s characteristics include the AAA protocol(Authentication, Authorization, Accounting, and Auditing). Cloud-based RADIUS a-as-a-Service offers similar capabilities. De facto standard for the authentication protocol. Open source means it has been integrated into many vendor products. RADIUS works on the client/server model. RADIUS is deemed connectionless since it is based on UDP.

The methods for centralized access control using RADIUS include:
The user connects to the server.
The access server requests authentication data from the user.
The RADIUS client sends authentication data to the RADIUS server.
RADIUS server compares data to the database.
RADIUS server sends the response.
If Accept is the response the RADIUS client allows the user to access the network.

[Kelly Crooks]

Identity management, authentication techniques, single sign-on, and access control monitoring are all ways to make sure the user is identified correctly to gain access to data. Identification is the act of stating or otherwise indicating a claim of purportedly attesting to a person or thing’s identity. Each person or process must have a unique identity when accessing data. The identification process must drive access control.

Authentication techniques include things such as pin numbers, biometric markers, passwords, passphrase RFID or some other form of authenticating the identity of the user or owner of the data.

Single-sigh-on is just that, the user only needs to authenticate their identity one time to have access to applications and tasks. This makes it easier to move between tasks and makes it easier to get your work done. The drawback is that you only need to sign in one time and others can have access to your work if you leave the computer or don’t sign out.

Access control monitoring helps to make sure that services and access are controlled and secure. It is an investment in time, talent, and resources but without constant and diligent monitoring, the risk of unsatisfactory business outcomes is higher. Making sure that a business’s data is secure and safe is a key part of what a security manager does. It is our job as security information officers to make sure the data is safe but also that only those people with the correct authorization have access to that data.

[Kelly Crooks]

Information Security management plays a key role in the success of a business because it is that security that keeps the company’s assets safe and secure. Information security must align with the mission, goals, and objectives of the business it is working with. Information security must also be business-enabled, meaning information security can not impede the business. Lastly, information security must have good process enhancement- information security facilitates good productivity by protecting against any and all risks.

Key factors of security management include policy, budget, resources, and authority. Good security management has in place the correct policies to make sure everyone is following the same policies and procedures and that everyone involved has the same goals and end plan in mind. A good security management team or firm makes sure that they understand what the budget is and make sure they follow that budget. If problems arise they need to make sure they inform the correct management team members about over-costs or under-costs on the budget. Making sure that all the available and current resources are available and in place to make sure the security management has what they need to secure the company assets. It is difficult to protect a company and ensure that the company is successful if you don’t have the right resources to perform the job. A good security management team makes sure that not only the correct authority is in place in their team but also in the company they are protecting. They need to make sure that the correct authority chain of command is followed and that all involved know their specific role.

There are several types of controls used in security management. One is administrative controls which include policies, procedures, and guidelines, employee management, testing and drilling, risk management and analysis, and awareness training. A second security management control used is technical or logical controls. These include firewalls, IDS/IPS, encryption, access control techniques, and various system protocols. The third control is physical control. These include things like doors, windows, walls, locks, security guards, fencing, and lighting.

The ownership chain consists of four categories. The first includes the senior management and the board of directors who are ultimately responsible for the information security program. The security manager is responsible for leading the security program and is trusted and familiar with the system. The security officer works under the security manager and is a certified professional who can design and implement the program. Physical security personnel are responsible for protecting buildings and managing access to the physical buildings.

The second category includes the information (data) owner who is responsible for the protection of the organization’s information. The system owner is responsible for specific computers on behalf of the business unit. The data custodian is required to implement and maintain controls to provide the protection level dictated by the data owner. The user is responsible for protecting the information to which they have been entrusted.

The third category includes local managers who are responsible for day-to-day security awareness and the auditors who are responsible for independent, objective, and systematic evaluation of protection.

[Kelly Crooks]

This first devotion ties into the last devotion of my human services class I just finished. God uses us and gives us all some kind of gift or talent. God hasn’t given me the gift or talent of money, wealth, singing, preaching, or anything like that. What God has given me and expects me to use is my gift of prayer. I love to pray and I am good at praying for others. I spend several hours a day in prayer. Prayer is so powerful and wonderful and I have seen the results of prayer so many times in my life. What people tend to forget is that God always answers our prayers. God answers prayer in the way that He sees fit sometimes and not how we want it answered or what we were expecting. God has used me in this spectacular way far more than I could have ever expected or dreamed of. I don’t get fame or recognition from prayer and sometimes I wonder why God answered a prayer the way He did, but I am doing what God has called me to do and I do it willingly because I know what my reward, in the end, will be!

[Kelly Crooks]

Risk management is essential as a Systems Security officer because it is our job to protect our clients and customers’ assets from threats. Those threats can include internal and external threats as well as skilled and unskilled agents, and natural events. Threats also come in the form of hackers, a worm seriously degrading the performance of a network, violation of security and user privacy, and many other threats.

Protecting assets is important because those clients and customers count on us to protect their information and data. Assets can be vulnerable to attacks due in part to a lack of access control. poop procedures and lack of training. Other vulnerabilities include a lack of understanding of the security protocols used, a lack of communication structure, not being able to respond quickly to an attack or threat, and misuse of access by authorized users.

Controls used in risk management and asset protection are things that are put in place between threats and assets.IT countermeasures include things like firewalls, smart cards, and antivirus software. Non-it countermeasures can be put into place as well such as guards and procedures, implementing regular security training, and awareness training for employees.

[Author]

Posts