1
00:00:06,990 --> 00:00:08,030
- [Instructor] Now the next step

2
00:00:08,030 --> 00:00:10,410
of an access control process

3
00:00:10,410 --> 00:00:12,625
is to establish the access control policy

4
00:00:12,625 --> 00:00:15,300
for each asset or data.

5
00:00:15,300 --> 00:00:17,893
And this will be based on
the classification label

6
00:00:17,893 --> 00:00:20,300
the asset has received,

7
00:00:20,300 --> 00:00:23,190
in classification on
marking that we discussed

8
00:00:23,190 --> 00:00:25,150
earlier in this lesson.

9
00:00:25,150 --> 00:00:28,920
Now, the access control policy
should include information

10
00:00:28,920 --> 00:00:32,240
on who can access the asset or its data,

11
00:00:32,240 --> 00:00:35,480
and when, and in which modality.

12
00:00:35,480 --> 00:00:38,653
Now, the access control
policy will also describe

13
00:00:38,653 --> 00:00:43,653
how that asset should be
protected depending on its state.

14
00:00:44,810 --> 00:00:49,740
There are three main states
that could be of any given time

15
00:00:49,740 --> 00:00:52,970
or the data, it could
be in any given time.

16
00:00:52,970 --> 00:00:56,020
The first one is data at rest.

17
00:00:56,020 --> 00:00:59,800
And that refers to data that
resides in a storage device

18
00:00:59,800 --> 00:01:02,800
such as a hard drive, or USB drive,

19
00:01:02,800 --> 00:01:05,883
or pen drive, or any digital media.

20
00:01:06,730 --> 00:01:09,826
Now, data is in this state
most of its lifetime.

21
00:01:09,826 --> 00:01:12,030
Data at rest is usually protected

22
00:01:12,030 --> 00:01:15,480
by strong access controls and encryption.

23
00:01:15,480 --> 00:01:17,790
Now, the next one is data in motion.

24
00:01:17,790 --> 00:01:19,120
And that refers to data

25
00:01:19,120 --> 00:01:21,005
that is actually moving
between two parties,

26
00:01:21,005 --> 00:01:23,124
and that is in transit.

27
00:01:23,124 --> 00:01:28,020
When the data is in this state,
it is subject to higher risk

28
00:01:28,020 --> 00:01:30,820
because it goes outside
of the security perimeter

29
00:01:30,820 --> 00:01:33,450
where the data owner may actually have not

30
00:01:35,230 --> 00:01:38,640
provided any control, or
doesn't even have any control.

31
00:01:38,640 --> 00:01:40,270
So in that case,

32
00:01:40,270 --> 00:01:42,790
end-to-end encryption and VPN technologies

33
00:01:42,790 --> 00:01:47,350
are actually usually used
to protect data in motion.

34
00:01:47,350 --> 00:01:50,120
Now, there's also the
concept of data in use,

35
00:01:50,120 --> 00:01:52,040
which refers to data being processed

36
00:01:52,040 --> 00:01:53,468
by applications or programs

37
00:01:53,468 --> 00:01:57,354
that are stored in a
temporary or volatile memory

38
00:01:57,354 --> 00:02:00,205
such as a Random Access Memory or RAM,

39
00:02:00,205 --> 00:02:02,520
what we classify as RAM,

40
00:02:02,520 --> 00:02:06,880
CPU registers, and other
similar mechanisms.

41
00:02:06,880 --> 00:02:08,810
Now, there are different roles

42
00:02:08,810 --> 00:02:11,380
that are commonly used
within an organization.

43
00:02:11,380 --> 00:02:13,760
So it will not be unlikely

44
00:02:13,760 --> 00:02:16,580
to find different names or definitions

45
00:02:16,580 --> 00:02:17,958
for a similar function,

46
00:02:17,958 --> 00:02:22,958
but here are some of the most common ones.

47
00:02:23,510 --> 00:02:26,250
The first one is executives
and senior management.

48
00:02:26,250 --> 00:02:28,110
They have the ultimate responsibility

49
00:02:28,110 --> 00:02:31,080
over the security of the data

50
00:02:31,080 --> 00:02:33,360
and the assets within the organization.

51
00:02:33,360 --> 00:02:38,360
They should be involved in all
the policies and procedures,

52
00:02:38,640 --> 00:02:40,480
and also they're the ones

53
00:02:40,480 --> 00:02:43,560
that approve access to control policies.

54
00:02:43,560 --> 00:02:45,300
Now, the next one is the data owner.

55
00:02:45,300 --> 00:02:49,140
And the data owner is also
called information owner.

56
00:02:49,140 --> 00:02:51,840
And it's usually part
of the management team

57
00:02:51,840 --> 00:02:55,100
that maintains ownership
and responsibility

58
00:02:55,100 --> 00:02:58,178
over a specific piece of information

59
00:02:58,178 --> 00:03:02,050
or a subset of that data or information.

60
00:03:02,050 --> 00:03:04,210
Now, part of the
responsibility of this role

61
00:03:04,210 --> 00:03:06,481
is actually to determine the
appropriate classification

62
00:03:06,481 --> 00:03:08,068
of the information

63
00:03:08,068 --> 00:03:11,890
to ensure that the information
is protected with controls.

64
00:03:11,890 --> 00:03:16,792
And now this is also done
to periodically review

65
00:03:16,792 --> 00:03:19,890
that classification and access rights,

66
00:03:19,890 --> 00:03:21,440
and to understand the risk

67
00:03:21,440 --> 00:03:25,630
associated to the
information that they own.

68
00:03:25,630 --> 00:03:27,950
The next one is the data custodian.

69
00:03:27,950 --> 00:03:29,490
And basically this is an individual

70
00:03:29,490 --> 00:03:33,880
that performs day-to-day task
on behalf of the data owner.

71
00:03:33,880 --> 00:03:35,160
And the main responsibility

72
00:03:35,160 --> 00:03:37,870
is to ensure that the
information is available

73
00:03:37,870 --> 00:03:39,190
to the end user,

74
00:03:39,190 --> 00:03:42,600
and to that the security
policy, the standards,

75
00:03:42,600 --> 00:03:46,379
and the guidelines are fulfilled
across the organization.

76
00:03:46,379 --> 00:03:48,850
Then there's also the system owner.

77
00:03:48,850 --> 00:03:50,730
And the system owner is responsible

78
00:03:50,730 --> 00:03:53,260
for the security of the systems

79
00:03:53,260 --> 00:03:56,130
that handle and process information

80
00:03:56,130 --> 00:03:59,910
owned by the different data owners.

81
00:03:59,910 --> 00:04:01,573
And now their responsibilities are

82
00:04:01,573 --> 00:04:04,700
to ensure that the data is secure

83
00:04:04,700 --> 00:04:05,980
while it's actually being processed

84
00:04:05,980 --> 00:04:07,790
by the system that they own.

85
00:04:07,790 --> 00:04:11,430
Now, the system owner works
closely with the data owner

86
00:04:11,430 --> 00:04:14,120
to determine the appropriate controls

87
00:04:14,120 --> 00:04:16,710
to apply it to that data.

88
00:04:16,710 --> 00:04:19,230
Then there's also the
security administrator.

89
00:04:19,230 --> 00:04:21,960
And the security administrator
manages the process

90
00:04:21,960 --> 00:04:24,980
for granting access and
rights to the information,

91
00:04:24,980 --> 00:04:29,100
and that includes assigning
privileges, granting access,

92
00:04:29,100 --> 00:04:34,100
and monitoring and
maintaining a record of access

93
00:04:34,230 --> 00:04:36,940
by users and by systems.

94
00:04:36,940 --> 00:04:39,830
And then lastly there's the end user.

95
00:04:39,830 --> 00:04:44,830
And the end user is the final
utilizer of the information

96
00:04:45,010 --> 00:04:47,950
and they contribute to the
security of the information

97
00:04:47,950 --> 00:04:51,400
by adhering to the
organization security policy.

98
00:04:51,400 --> 00:04:54,296
Now, one thing to highlight
is that besides these roles,

99
00:04:54,296 --> 00:04:58,130
several other, could be also commonly seen

100
00:04:58,130 --> 00:04:59,290
in a large organization.

101
00:04:59,290 --> 00:05:01,935
So examples are things
like security officers,

102
00:05:01,935 --> 00:05:06,760
these guys are in charge for
the design implementation

103
00:05:06,760 --> 00:05:10,926
and management, and also review
of the security policies,

104
00:05:10,926 --> 00:05:14,513
and to organize and
coordinate information,

105
00:05:15,830 --> 00:05:19,790
security activities
and information system,

106
00:05:19,790 --> 00:05:23,130
security activities as well.

107
00:05:23,130 --> 00:05:23,963
Now there's also

108
00:05:23,963 --> 00:05:26,550
the information system
security professional,

109
00:05:26,550 --> 00:05:28,540
who is responsible to draft policies,

110
00:05:28,540 --> 00:05:33,412
standard and guidelines related
to information security,

111
00:05:33,412 --> 00:05:36,850
and to provide guidance on
new and existing threats.

112
00:05:36,850 --> 00:05:39,990
You may also see in large organizations

113
00:05:39,990 --> 00:05:41,896
folks that are auditors.

114
00:05:41,896 --> 00:05:45,300
And auditors are responsible to determine

115
00:05:45,300 --> 00:05:48,040
whether the owners, the custodians,

116
00:05:48,040 --> 00:05:50,070
and the systems are compliant

117
00:05:50,070 --> 00:05:52,030
with the organization security policies,

118
00:05:52,030 --> 00:05:54,665
and they actually provide
an independent assurance

119
00:05:54,665 --> 00:05:56,520
to senior management

120
00:05:56,520 --> 00:05:59,490
that everything is
actually being established

121
00:05:59,490 --> 00:06:00,903
in a correct way.