Page 731 - StudyBook.pdf
P. 731

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  715

                 ical information.The dental assistant would need to see this clinical information on
                 the patient’s history, but would not need to see billing information.The dentist
                 would need to view all of the information. By dividing privileges into roles,
                 administrators are able to control what access a person has based on the role associ-
                 ated with their user account.


                 TEST DAY TIP

                      The Security+ exam requires you to understand the terms MDAC, DAC,
                      and RBAC, and the concepts behind them. When taking the Security+
                      exam, try to remember that:
                        ■   MAC has every account and object associated with groups and
                            roles, which are used to control access. It is the only method of the
                            three that is considered to be of military strength.
                        ■   DAC also provides access on the basis of users and groups, but
                            access to data can be granted or denied at the discretion of the
                            data’s owner.
                        ■   RBAC associates users with different roles to obtain access to
                            resources and data.




                 Education and Documentation

                 Throughout this chapter, we have discussed the importance of protecting data so
                 that unauthorized persons are not able to view information. However, there are
                 times when sharing information is necessary to the security of a network.After all,
                 policies are useless if no one is able to read them, and procedures are worthless if
                 the people who require them are unaware of their existence. Not sharing facts
                 about the system, best practices to perform, and other important details, may create
                 a situation that puts security at risk.
                    Education and documentation is a vital part of any secure system.
                 Knowledgeable users can be an important line of defense, as they will be better
                 able to avoid making mistakes that jeopardize security, identify problems, and report
                 them to the necessary persons. Proper documentation is imperative to security, as
                 good diagrams, well thought out procedures, quality knowledge bases, and other
                 papers dealing with security can be the difference in solving problems quickly.The
                 following sections look at a number of ways to create an environment that
                 enhances security through these methods.




                                                                              www.syngress.com
   726   727   728   729   730   731   732   733   734   735   736