Which of the following is a technical control?
|
Computer security is often divided into three distinct master categories, commonly referred to as controls: Show
These three broad categories define the main objectives of proper security implementation. Within these controls are sub-categories that further detail the controls and how to implement them. Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are:
Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as: Implement Identification and Authentication mechanisms, including provisions for uniquely identifying and authenticating entities (i.e. users or information system processes acting on behalf of users) Require access to an information system be gained through the presentation of an individual identifier (e.g., a unique token or user login identification [ID]) and authenticator(s) Explicitly identify any user actions that can be performed prior to reliable identification (e.g., reading a publicly available Web site) Ensure the basis of identification and authentication is on one of the three principles of Identification and Authentication What one knows (e.g., passwords) Who one is (e.g., fingerprint, retinal pattern) What one possesses (e.g., token, cryptography key). Ensure that passwords are not shared, displayed online, made visible at session initiation or divulged publicly Ensure that passwords are a minimum of eight characters Ensure that passwords are non-words, mixing letters and numbers At least one uppercase letter, one lower case letter, and one number are required, and no words found in a dictionary will be allowed Ensure passwords are not sports names, family names, employee name, or user Ids Ensure passwords automatically expire every 90 days, with the security software prompting each user for a new password daily beginning 14 days prior to the expiration date The password expiration is a risk based management decision and directorates are encouraged to require a shorter time period for password expiration for more sensitive information systems Ensure passwords are not reused until at least six other passwords have been used Tokens can be used in addition to a password or biometric Four types of tokens are acceptable: hard tokens, soft tokens, one-time password devices, and password tokens Hard Token Ensure that a password is used to activate an authentication key Ensure that authentication keys are not exportable Ensure that any hard token that is used is compliant to NIST SP 800-63 Soft Tokens Ensure that the activation data will be a password known only to the user Ensure that the cryptographic module is compliant to NIST SP 800-63 Ensure that the unencrypted copy of the authentication key shall be erased after each authentication One-Time Password Device Token The device may or may not have some kind of integral entry pad, an integral biometric (e.g., fingerprint) reader or a direct computer interface (e.g., USB port) Ensure that the passwords are generated by using an approved block cipher or hash algorithm to combine a symmetric key stored on a personal hardware device with a nonce to generate a one-time password. The nonce may be a date and time, a counter generated on the device, or a challenge from the verifier (if the device has an entry capability); direct electronic input from the device to a computer is also allowed Ensure that the one-time password have a limited lifetime, on the order of minutes, although the shorter the better Password Token This type of token is a secret that a claimant memorizes and uses to authenticate his or her identity. Passwords are typically character strings; however systems using a number of images that the subscriber memorizes and must identify when presented along with other similar images are also acceptable
|
