Why ISI Needs an Access Control Plan

Independent Software Incorporated (ISI) requires a robust access control plan to protect sensitive data due to several factors:

• Data Sensitivity: ISI handles classified information and Personally Identifiable Information (PII) associated with major market retailers, the federal government, and large state governments. These data types require strict access control measures to comply with regulations and prevent unauthorized access, disclosure, or modification (National Institute of Standards and Technology (NIST), Special Publication 800-161, 2017: https://doi.org/10.6028/NIST.SP.800-161).
• Multiple Users and Systems: With eight employees working on various projects across ten heterogeneous workstations, managing user access and system privileges becomes complex. A centralized access control plan ensures consistent security policies are applied across the network (SANS Institute, Reading Room – Access Control, 2023: [invalid URL removed]).

Goals of the Access Control Plan

ISI’s access control plan should strive to achieve the following goals:

• Confidentiality: Only authorized users should be able to access sensitive data.
• Integrity: Data must be protected from unauthorized modification or destruction.
• Availability: Authorized users must have timely and reliable access to the data they need to perform their jobs.
• Accountability: Track user activity to identify any unauthorized access attempts or suspicious behavior.

Layered Access Security Strategies

To achieve its access control goals, ISI can implement a layered security strategy encompassing data at rest, data in motion, and file systems:

1. Data at Rest:

   • Encryption: Encrypt sensitive data at rest using industry-standard algorithms like AES-256. This renders data unreadable even if breached (Chen, et al., A survey of encryption techniques, 2002: [invalid URL removed]).
   • Access Control Lists (ACLs): Implement ACLs on file systems to define specific user permissions (read, write, execute) for accessing data (National Institute of Standards and Technology (NIST), Special Publication 800-161, 2017: https://doi.org/10.6028/NIST.SP.800-161).

2. Data in Motion:

   • Secure Sockets Layer/Transport Layer Security (SSL/TLS): Enforce the use of SSL/TLS protocols for all network communication to encrypt data in transit between users and servers (Imperva, What is SSL/TLS? Everything You Need to Know About Secure Sockets Layer/Transport Layer Security, 2023: [invalid URL removed]).
   • Virtual Private Networks (VPNs): Utilize VPNs for remote access, creating a secure tunnel for data transmission over the public internet (Palo Alto Networks, What is a VPN? A Guide to Virtual Private Networks, 2023: [invalid URL removed]).

3. File Systems:

   • User Authentication: Implement a strong user authentication system using multi-factor authentication (MFA) to add an extra layer of security beyond usernames and passwords (Duo Security, The Essential Guide to Multi-Factor Authentication (MFA), 2023: [invalid URL removed]).
   • Least Privilege: Assign users the minimum level of access permissions necessary to perform their job functions, minimizing the potential damage from a compromised account. (National Institute of Standards and Technology (NIST), Special Publication 800-161, 2017: https://doi.org/10.6028/NIST.SP.800-161).

Implementing and Maintaining the Access Control Plan

Best Practices:

• Develop clear policies and procedures: Document the access control plan with clear guidelines for user access, password management, and security protocols. Train all employees on these policies (SANS Institute, Information Security Policy Management, 2023: [invalid URL removed]).
• Regular Reviews and Audits: Conduct periodic reviews of the access control plan to ensure its effectiveness and adapt to changing