Professional Documents
Culture Documents
Security and Safety
Security and Safety
ACCESS CONTROL
PERMITTING SYSTEM
Security
- the quality or state of being free from
danger
- measures taken to guard against
espionage or sabotage, crime, attack or
escape
Access Control
Access controls -are security features that control how
users
and systems communicate and interact with
other systems and resources.
the flow of information between a subject and an
where object.
Subject - an active entity that requests access to an
object or the data within an object.
E.g.: user, program, process etc.
Object - a passive entity that contains the information.
E.g.: Computer, Database, File, Program etc.
Roles
Groups
Location
Time
Transaction Type
Security Principle
Identification
Authentication
Authorization
Security Principle
Identification - describes a method of ensuring that a
subject is the entity it claims to be.
E.g.: A user name or an account no.
Authentication - the method of proving the subjects
identity.
E.g.: Password, Passphrase, PIN
Authorization- the method of controlling the access
of objects by the subject.
E.g.: A user cannot delete a particular file after
logging into the system
Identification Component
Requirements
Each value should be unique, for user
accountability
A standard naming scheme should be
followed
The values should be non-descriptive of
the users position or task
The values should
between the users.
not
be
shared
Authentication Methods
Biometrics
Passwords
Cryptographic Keys
Passphrase
Memory Cards
Smart Cards
Identity Management
Administrative Control
- defined by the top management in an
organization.
Control Components
Policy and Procedures - A security
policy is a high-level plan that states
managements intent pertaining to how
security should be practiced within an
organization, what actions are acceptable,
and what level of risk the company is
willing to accept. This policy is derived
from the laws, regulations, and business
objectives that shape and restrict the
Security policy
Monitoring and supervising
Separation of duties
Job rotation
Information classification
Personnel procedures
Investigations
Testing
Security-awareness and training
Physical Control
- support and work with administrative and technical
(logical) controls to supply the right degree of access
control.
Control Components
Network Segregation - can be carried out through
physical and logical means. A section of the network
may contain web servers, routers, and switches, and yet
another network portion may have employee
workstations
Fences
Locks
Badge system
Security guard
Biometric system
Mantrap doors
Lighting
Motion detectors
Closed-circuit TVs
Alarms
Backups
safe storage area of backups
Technical Control
- called logical controls are tools used to restrict
subjects access to objects. They can be core OS
components, add-on security packages, applications,
protocols,
encryption mechanisms,
and access
control metrics.
Control Components
System Access - control of access to resources is
based
on the sensitivity of data, clearance level of
users,
and users rights and permissions. As technical
control for system access can be a user name
password, Kerberos implementation, biometrics, PKI,
RADIUS, TACACS or authentication using smartcards.
EMERGENCY PROTOCOLS
IN PROCESS INDUSTRY
Hierarchy of Control
Consideration should be given to the following (generally
in order of preference from top to bottom).
Elimination of the hazard
Completely remove the hazard, or risk of exposure to the
hazard. Removal of the hazard is the ideal control solution.
For example:
removal of a noisy machine from a quiet area
removal of fuels from the vicinity of welding