Designing Access Controls
Comprehensive Security Policy
In each area shown in Figure 3-1,the PCU IT staff must determine the users’ needs and the type of access the users require. After a thorough needs assessment, the IT staff has gathered the following information.
■Dormitories—The students need a combination of wired and wireless access for endpoints that they bring from home. At the beginning of the school year, a quarter or more of students’ endpoints are new worksta- tions or laptops (some with wireless network interface cards [NICs], others with docking stations for wired connections), personal digital assistants (PDAs), and smartphones—all of which run various operating systems (OSs). The students possess computer expertise that ranges from good to excellent.
Classrooms—In classroom buildings, students need wireless access. Some classroom buildings have university-controlled workstations in computer labs, and faculty offices also have university-controlled wired workstations, although some professors use wireless laptops as well.
Plaza—Both students and non-students need wireless access in the plaza. The students need access to the university LAN, and the non-students need access to the Internet and limited areas of the university LAN, such as the white pages. All of the devices belong to the user. The endpoints consist of laptops, PDAs, and smartphones, all running various operating systems (OSs).
■Library—Students, faculty, staff, and the public need access to the net- work in the library. All patrons need access to the library’s online catalog. Some areas of the library have RJ-45 jacks to permit wired connections to the network, and wireless access is also available. Most of the devices belong to the users, although the library also provides public-access wired workstations that provide access to the catalog and the Internet. A few legacy terminals connect directly to the catalog database.
■Administration building—Most of the endpoints are wired worksta- tions in the administration building, and most users need access to confidential information, such as student records, loan information, and university finances. The users’ level of expertise is usually fairly low; most of them only need to use work-related applications. The endpoints consist of wired workstations, printers, and databases as well as an IP telephone exchange that serves all of the administrative and faculty offices across campus. All of the workstations run a version of Microsoft Windows.
■Engineering building—The users in the engineering building need both wired and wireless access to the university LAN, and some need access to specialized resources such as a 10-year-old UNIX supercomputer. Most of the users are highly sophisticated in their computer expertise, and a few have the skills to create and spread malware. Some endpoints belong to the students, but others belong to the university (such as those in the labs). Endpoints consist of wired workstations and wired and wireless
