Information Technology Reference
In-Depth Information
three-factor authentication; that is, providing two or three out of four: what they know
(e.g., password or PIN), what they have (e.g., key, badge, magnetic card), what they are
(e.g., fingerprint or other biometric), or what they do (e.g., signature mechanics).
9.12.2
Commentary
The process and mechanics of identity management must not violate personal pri-
vacy. Personal identification information (e.g., name, SSN, address, etc.) can be
isolated or hidden behind a technical construct that uses a user ID and a privilege
ID that have no outside meaning. The goal is to provide anonymity as much as
possible, whether to the casual observer or the determined intruder. There may be a
table or database where the anonymous index is associated with personal informa-
tion; however, unauthorized access will require multiple depths of penetration or
collusion to uncover the personal information.
9.13
protecting the information infrastructure
Infrastructure is the underlying foundation of organizational operations. Infrastruc-
ture includes those aspects that on which or in which business activities take place.
Information infrastructure
is the underlying foundation in support of information and
information technology. The applied IA
2
snapshot in Table 9.14 focuses on business
and technical requirements behind protecting the information infrastructure.
9.13.1
Applied IA
2
: Protecting the Information
Infrastructure Capability
A comprehensive list of security requirements behind information infrastructure
protection includes the following business and technical requirements, where each
category considers each IA core principle to form a matrix of requirements that
decomposes the larger problem:
n
−
Business
Business process
Facilitate secure communications with Company X for customers,
vendors, partners, and ad hoc relationships.
Secure remote worker connectivity.
Minimize administrative intervention during account creation, man-
agement, and termination.
Ensure messages and transactions are received unaltered and may not
later be denied having been sent.
n
n
n
n
