Administrative Access Control

Administrative Access Control

Logical and Administrative Access ControlAdministrative Access Control

  • Access Rights Administration
  • Authentication
  • Network Access
  • Operating System Access
  • Application Access
  • Remote Access

We will evaluate that their ability is to restrict access to system resources.

Physical Security Access Control

We will assess your ability to maintain the confidentiality, integrity, and availability of information, and evaluate the assurances provided by physical access controls.  We will review:

  • Data Center Security
  • Cabinet and Vault Security
  • Physical Security

Encryption Access Control

We will assess encryption controls, where appropriate. Encryption is a key control used to secure communications and data storage, particularly authentication credentials and the transmission of sensitive information. We will evaluate:

  • Cryptosystem effectiveness
  • Encryption key management
  • Encryption types

Malicious Code Access Control

We will evaluate risks and vulnerabilities posed by malicious code. Malicious code is any program that acts in an unexpected and potentially damaging way.

Systems Development, Acquisition, and Maintenance

We will evaluate your system development, acquisition, and maintenance functions and assess the establishment of security controls into software prior to development, acquisition, and implementation.

Personnel Security Access Control

We will evaluate controls over legitimate users concerning their access and credentialing for system access necessary to perform their duties.  Because of their internal access levels and intimate knowledge of educational institution processes, authorized users pose a potential threat to systems and data. We will evaluate:

  • Background checks and screening
  • Agreements: confidentiality, non-disclosure, and authorized use
  • Job descriptions
  • Training (Initial as well as continuing)

Electronic and Paper-Based Media Handling Access Control

We will evaluate controls over sensitive information on media such as paper documents, output reports, back-up tapes, disks, cassettes, optical storage, test data, and system documentation.  Protection of that data requires protection of such media. We will evaluate:

  • Handling
  • Storage
  • Disposal
  • Transit

Logging and Data Collection Control

We will assess that the reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance. This control area is critical for an effective response program.

Service Provider Oversight Control

We will evaluate your controls over outsourcing arrangements, ensuring that such arrangements provide an effective means to support the institution’s technology needs while retaining your responsibility for managing risk. We will evaluate:

  • Due diligence
  • Control and Security SLA’s

Intrusion Detection and Response Access Control

We will assess your capability to detect and react to an intrusion into your information systems. Security systems must restrict access and protect against the failure of those access restrictions.  However, detection and response capabilities must detect and react to intrusions when those systems fail.  This control area is critical for an effective and appropriate response program.

We will evaluate:

  • Intrusion Detection capabilities
  • Intrusion Response capabilities
  • Incident handling procedures, including risk escalation and notification.