ISC2
Risk Management: Use of Access Controls to Protect Assets
ISC2

Risk Management: Use of Access Controls to Protect Assets

This course is part of (ISC)² Systems Security Certified Practitioner (SSCP)

Taught in English

Some content may not be translated

3,897 already enrolled

Course

Gain insight into a topic and learn the fundamentals

4.8

(38 reviews)

Beginner level

Recommended experience

6 hours (approximately)
Flexible schedule
Learn at your own pace

Details to know

Shareable certificate

Add to your LinkedIn profile

Assessments

15 quizzes

Course

Gain insight into a topic and learn the fundamentals

4.8

(38 reviews)

Beginner level

Recommended experience

6 hours (approximately)
Flexible schedule
Learn at your own pace

See how employees at top companies are mastering in-demand skills

Placeholder

Build your subject-matter expertise

This course is part of the (ISC)² Systems Security Certified Practitioner (SSCP)
When you enroll in this course, you'll also be enrolled in this Specialization.
  • Learn new concepts from industry experts
  • Gain a foundational understanding of a subject or tool
  • Develop job-relevant skills with hands-on projects
  • Earn a shareable career certificate
Placeholder
Placeholder

Earn a career certificate

Add this credential to your LinkedIn profile, resume, or CV

Share it on social media and in your performance review

Placeholder

There are 5 modules in this course

In this module we are going to start looking at the pieces that make up a security program. Now that we have examined the process of risk management, we have the information needed to justify the controls and other actions taken to secure and protect the assets of the organization. The core principle of information security must be remembered, which is that security exists solely for the purpose of supporting and enabling the business mission. Our goal as security professionals is not just to be secure but rather to secure the business. Our organizations do not hire us because they are really interested in security; they hire us because management realizes that security is necessary in order for the business to survive.   Senior managers and leaders within the organization focus on achieving efficient use of every resource they have available to them, so that they can maximize the organization’s effectiveness within the marketplaces it serves. Whether it is a for-profit business, a nonprofit organization, or a government agency, the organization (in the words of the motto of the UK’s Royal Air Force Police) has to survive to operate. It has to control the losses due to inefficient business processes, bad weather or criminal attacks.  Simply put, information security that minimizes losses and protects high-value assets, processes, goals, and objectives pays for itself, and thus commands support and resources from senior management. Security efforts that do not directly support defending those priorities won’t.  The explosive growth in cyber fraud activities during the pandemic of 2020-2021 and the increase in ransomware and other attacks alike demonstrates how the attackers are learning faster than the defenders. Let’s turn that around, starting with how we think about turning security needs and requirements into effective control strategies. 

What's included

6 videos2 readings3 quizzes

It could be argued that access controls are the heart of an information security program. Earlier in this course we have looked at the foundation of security through risk management and policy, and the leadership of information security through management involvement and strategic planning, but in the end, security all comes down to “who can get access to our assets (buildings, data, systems, etc.) and what can they do when they get access?”  Access controls are not just about restricting access, but also about allowing access. It is about granting the correct level of access to authorized personnel and processes but denying access to unauthorized functions or individuals. 

What's included

3 videos3 readings2 quizzes

This part of the course examines the process of identity management. Identity management (IM) is often described using the IAAA model (sometimes called the AAA model). This represents the steps of identification, authentication, authorization, and accounting (sometimes incorrectly called audit; we’ll see why as we go along). Identity management includes establishing, maintaining, and removing identities on our systems. Access control focuses on the real-time tasks necessary to validate that an attempt to access a resource is being done by a recognized, accepted entity using an identity known to the system, and that the attempt is seeking to use privileges that are appropriate and valid for that entity, that resource, and current circumstances.  Prior to the widespread use of web pages that allow site visitors to create an account (an identity) on that host system, most security professionals and organizational managers thought of IM and AAA as happening on two very different time scales, or as driven by two very different types of events:  IM activities were viewed as being driven by large-scale events, such as joining the organization, going through a major change in roles or job responsibilities, and then leaving the organization.   AAA activities then occur on a real-time basis with every connection (sign-on) attempt and every access request to resources made by any one of the accounts and user IDs created for that person.  As the concept of identity management has had to expand to include nonhuman users and entities, this view of IM and AAA time horizons has changed in related ways. A company hires human users and acquires endpoints or server devices. It signs partnership agreements with other organizations to set up federated access control mechanisms so that both can share information assets in controlled, secure ways. Each of these are IM activities that happen once (or a few times) in the lifecycle of that entity’s relationship with the organization.  And just as a human user might go through a thousand resource access attempts during a single workday (or even in a short session), so too might a nonhuman entity performing its assigned or allowed tasks. 

What's included

7 videos2 readings7 quizzes

 The implementation of access management contains its own challenges. Audits in many organizations often reveal that the identity management processes used are flawed, resulting in many users who have access permissions that they have accumulated over the years that are not aligned with their current business needs. This is a problem where privacy regulations require accountability and tracking of access permissions, and it can lead to financial penalties, security breaches, and embarrassment for the organization. The idea of an identity and access management (IAM) system is to automate the process and reduce the administrative overhead, while improving reporting and the ability to monitor the access levels granted to users. Some of the features of IAM systems include an automated process for users to request and be granted access to systems, a streamlined process for new users and for password resets. 

What's included

8 videos4 readings2 quizzes

It’s not an exaggeration to say that access control is the heart of the information systems security problem. Everything we do as security professionals drives down to this problem set; risk management sets requirements for access control to achieve, and the design, configuration, and operation of the information infrastructures the organization uses must reflect the access control decisions that have been made.  Access control technologies may very well represent the most hotly contested “real estate” in the battle between cyber defenders and cyberattackers.  This chapter has provided you with a rich, detailed, and in-depth orientation and introduction to many aspects of the access control need and problem, while it has also shown you ways to solve that problem and address that need.   

What's included

1 reading1 quiz1 peer review

Instructor

Instructor ratings
5.0 (16 ratings)
(ISC)² Education & Training
ISC2
20 Courses74,096 learners

Offered by

ISC2

Recommended if you're interested in Security

Why people choose Coursera for their career

Felipe M.
Learner since 2018
"To be able to take courses at my own pace and rhythm has been an amazing experience. I can learn whenever it fits my schedule and mood."
Jennifer J.
Learner since 2020
"I directly applied the concepts and skills I learned from my courses to an exciting new project at work."
Larry W.
Learner since 2021
"When I need courses on topics that my university doesn't offer, Coursera is one of the best places to go."
Chaitanya A.
"Learning isn't just about being better at your job: it's so much more than that. Coursera allows me to learn without limits."

Learner reviews

Showing 3 of 38

4.8

38 reviews

  • 5 stars

    87.17%

  • 4 stars

    7.69%

  • 3 stars

    2.56%

  • 2 stars

    0%

  • 1 star

    2.56%

SS
5

Reviewed on May 31, 2023

New to Security? Start here.

Placeholder

Open new doors with Coursera Plus

Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs - all included in your subscription

Advance your career with an online degree

Earn a degree from world-class universities - 100% online

Join over 3,400 global companies that choose Coursera for Business

Upskill your employees to excel in the digital economy

Frequently asked questions