Information Technology Reference
In-Depth Information
Note:
Discretionary access controls make use of an access control list
(ACL) associated with each identity and resource to enforce privilege and
access limitations. ACLs can become very complex, configured to con-
trol access over file and data resources, network shares, services, and port
availability with fine-resolution control over specific rights such as change
and delete capabilities.
Identity Management
The overall management of security principals and effective assign-
ment of access rights and controls together form the practice of identity
management. Without unique identification of user and service activity,
many aspects of network security become difficult to maintain. Shared
user accounts present a particular difficulty when attempting later to
assign responsibility for unauthorized changes, system misuse, or dis-
covered contraband data. Shared and anonymous log-on credentials
should never be used for secured access to enterprise resources, due to
the inability to later associate specific responsibility for account use and
access actions.
Regulatory Mandates
Many legislative articles include specific requirements for identity man-
agement and access control logging in order to meet regulatory compli-
ance mandates. Financial penalties and legal implications provide strong
business drivers for the adoption of identity management practices to meet
these guidelines. Federal legislation that requires identity management for
responsibility and privacy controls includes the following:
• Gramm-Leach-Bliley Act (GLBA)
• Children's Online Privacy Protection Act (COPAA)
• Fair Credit Reporting Act (FCRA)
• Family Educational Rights and Privacy Act (FERPA)
• Federal Identity Theft Assumption and Deterrence Act
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act (SOX)
• Aviation and Transportation Security Act
