Why must passwords be stored as salted hashes, and what algorithms are currently recommended?
Why hashed: passwords must not be stored in plaintext or with reversible encryption. If the database is breached, plaintext or reversible passwords are immediately usable. Hashing is one-way — the stored value cannot be reversed to the original password. Why salted: salt (unique random value per user) is added before hashing, ensuring identical passwords produce different hashes. This defeats rainbow tables (pre-computed hash tables for common passwords). Recommended algorithms: bcrypt, Argon2, PBKDF2 — all are intentionally slow to increase brute-force cost. Deprecated: MD5 and SHA-1 without salt — too fast, no salt, known vulnerabilities. SHA-256 unsalted is also insufficient for password storage due to speed.
What does NIST SP 800-63B say about password complexity and change frequency?
NIST SP 800-63B (Digital Identity Guidelines) represents a significant departure from older password guidance: Length over complexity: minimum 8 characters; longer is better; length contributes more to entropy than character class requirements. No mandatory periodic changes: do NOT require password changes on a fixed schedule (e.g., every 90 days) unless there is evidence of compromise. Periodic forced changes drive users toward predictable patterns (Password1! → Password2!). Check against breached password lists: verify new passwords against known-breached password databases. No complexity hints or security questions: security questions are weak; do not use them. Modern guidance: length + breach checking + MFA is more effective than complex character requirements + forced rotation.
What are the four access control models, and what determines access in each?
MAC (Mandatory Access Control): system-enforced classification labels (Top Secret, Secret). Users cannot grant or receive access beyond their clearance. System enforces policy, not users. Government/military. DAC (Discretionary Access Control): resource owners decide who can access their resources at their discretion. Standard OS file permissions (Windows/Linux). Flexible but allows users to make access mistakes. RBAC (Role-Based Access Control): access determined by job role. Users inherit permissions of their role(s). Most common enterprise model. Scalable: change the role, not individual permissions. ABAC (Attribute-Based Access Control): multiple attributes evaluated: user attributes + resource attributes + environment (time, location, device). Finest-grained control; used in cloud and zero-trust environments.
When must access be removed upon employee separation, and why?
When: access must be removed on the last day of employment — immediately upon separation, not days or weeks later. The access control standard must specify this timing and mandate that HR and IT coordinate to ensure same-day removal. Why immediate removal: (1) Disgruntled employees: a terminated employee with active credentials may access systems to exfiltrate data or cause damage during the gap period. (2) Stolen credentials: if credentials were compromised near separation, an attacker can use them during any gap period. (3) Principle of least privilege: access exists only as long as business justification exists; separation ends the justification immediately. Also: physical access removal (badge deactivation) must be simultaneous with logical access removal.
What physical security access level applies to employees, visitors, and contractors?
Employees: background-checked; issued permanent photo ID badge; access based on job role; permitted in general areas and role-specific restricted areas. Visitors: not vetted; temporary visitor badge (visually distinct); must be signed in; must be escorted at ALL times in restricted areas; visitor log maintained. Contractors: background-checked; access limited to specific areas and timeframes required for contracted work; may require escort in sensitive areas; access immediately revoked on contract completion. Key distinction: visitors are escorted always; contractors may work independently in authorized areas but access ends with contract. All three levels are defined in the physical security standard — different personnel categories require different treatment.
What three data states require encryption, and what technology applies to each?
Data at rest: stored on disks, databases, backups, USB drives. Technology: AES-256 full-disk encryption (BitLocker, FileVault, LUKS); database column/tablespace encryption; encrypted backup archives. Data in transit: moving across networks. Technology: TLS 1.2 minimum (TLS 1.3 preferred); deprecated SSL, TLS 1.0/1.1 prohibited; VPN (IPsec/SSL-VPN) for remote access; SFTP instead of FTP. Data in use: actively being processed in memory. Technology: hardware trusted execution environments (TEE), secure enclaves (Intel SGX, AMD SEV). Emerging area; many organizations do not yet have formal standards. Key principle: encryption requirements should match data sensitivity; PII and financial data typically require stronger requirements than internal data.
What is ISO/IEC 27001, and what does achieving certification demonstrate?
ISO/IEC 27001: the international standard for information security management systems (ISMS). Provides a framework for establishing, implementing, maintaining, and continually improving information security. Certification process: the organization implements an ISMS, then undergoes an independent third-party audit to verify compliance with the standard. Certification is awarded after the audit confirms conformance. What certification demonstrates: to customers, partners, and regulators that the organization's security management meets an international standard, verified by an independent auditor. Key features: risk-based approach (controls selected based on identified risks); Annex A catalog of 93 controls; PDCA continuous improvement cycle; scope can be entire org or defined subset. Not a technical certification — it certifies the management system.
How does RBAC work, and why is it the most common enterprise access control model?
RBAC mechanics: administrators define roles corresponding to job functions (Accountant, HR Manager, IT Admin, Read-Only User). Each role is assigned specific permissions. Users are assigned to one or more roles and inherit all permissions of their assigned roles. Why most common in enterprise: (1) Scalable — adding a new employee means assigning a role, not manually configuring hundreds of individual permissions. (2) Consistent — all users with the same role have identical permissions, reducing inconsistency errors. (3) Auditable — access reviews check role assignments, not individual permissions. (4) Change-efficient — changing a job function means changing the role's permissions once, affecting all role members simultaneously. Works well when job functions are well-defined and relatively stable.
What is the difference between a security policy and a security standard?
Policy: high-level document stating what must be achieved and why. Approved by senior management. Sets requirements. Example: "Passwords must be stored securely." Does not specify how. Standard: specific, measurable requirements derived from policy. Specifies the exact technical or procedural implementation. Example: "Passwords must be stored using bcrypt with minimum cost factor 12 and a unique random 16-byte salt per password." Bridges the gap between policy intent and technical implementation. Hierarchy: Policy → Standard → Procedure (step-by-step instructions for implementing the standard) → Guidelines (non-mandatory recommendations). Standards are mandatory; guidelines are optional. Auditors check whether standards are met, not whether guidelines are followed.
What are the NIST SP 800-53, 800-63B, and CSF, and what does each address?
NIST SP 800-53: Security and Privacy Controls for Federal Information Systems. Comprehensive catalog of security controls organized by family (AC, AU, IA, etc.). Mandatory for US federal agencies; basis for FedRAMP cloud authorization. NIST SP 800-63B: Digital Identity Guidelines. Provides specific guidance for authentication, password standards (length over complexity, no forced rotation, breached password checking), and identity proofing. NIST CSF (Cybersecurity Framework): risk management framework with five functions (Identify, Protect, Detect, Respond, Recover). Voluntary; widely adopted by private industry as a security program maturity baseline. Relationship: CSF provides the program structure; 800-53 provides the control catalog; 800-63B provides authentication-specific standards. All three are NIST publications but serve different purposes.
What four areas must a comprehensive organizational security standards program cover?
Security standards programs must cover four primary areas: (1) Password standards: complexity, storage (hashed/salted), reset process, change frequency, authentication methods, password manager support. (2) Access control standards: access control model (MAC/DAC/RBAC/ABAC), approval process for granting access, review process, removal on termination/expiry/contract end. (3) Physical security standards: employee/visitor/contractor classification, electronic locks, biometrics, monitoring, escort requirements, offboarding. (4) Encryption standards: approved algorithms, key lengths, protocols; data at rest, in transit, and in use requirements; deprecated protocol prohibitions. Standards in all four areas translate policy requirements into specific measurable technical and procedural requirements that can be audited.
What is ABAC, and in what environments is it used instead of RBAC?
ABAC (Attribute-Based Access Control): access decisions are made by evaluating multiple attributes simultaneously. Attribute categories: User attributes (department, clearance level, certification, employment type). Resource attributes (data classification, owner, creation date). Environmental attributes (time of day, location, device type, network). Example policy: "Allow access IF user.department=Finance AND resource.classification=Financial AND environment.time=BusinessHours AND environment.device=ManagedDevice." When used instead of RBAC: when RBAC roles become too numerous and complex (role explosion), when access requires dynamic fine-grained decisions (cloud environments, zero-trust architectures), or when regulatory requirements mandate attribute-based decisions (location-based access controls, time-based restrictions). More flexible than RBAC but more complex to configure and audit.