Security Solutions
3-10
Designing Access Controls
Comprehensive Security Policy
In each area shown in Figure 3-1, the PCU IT staff must determine the users’
needs and the type of access the users require. After a thorough needs
assessment, the IT staff has gathered the following information.
■ Dormitories—The students need a combination of wired and wireless
access for endpoints that they bring from home. At the beginning of the
school year, a quarter or more of students’ endpoints are new worksta-
tions or laptops (some with wireless network interface cards [NICs],
others with docking stations for wired connections), personal digital
assistants (PDAs), and smartphones—all of which run various operating
systems (OSs). The students possess computer expertise that ranges from
good to excellent.
■ Classrooms—In classroom buildings, students need wireless access.
Some classroom buildings have university-controlled workstations in
computer labs, and faculty offices also have university-controlled wired
workstations, although some professors use wireless laptops as well.
■ Plaza—Both students and non-students need wireless access in the plaza.
The students need access to the university LAN, and the non-students
need access to the Internet and limited areas of the university LAN, such
as the white pages. All of the devices belong to the user. The endpoints
consist of laptops, PDAs, and smartphones, all running various operating
systems (OSs).
■ Library—Students, faculty, staff, and the public need access to the net-
work in the library. All patrons need access to the library’s online catalog.
Some areas of the library have RJ-45 jacks to permit wired connections
to the network, and wireless access is also available. Most of the devices
belong to the users, although the library also provides public-access wired
workstations that provide access to the catalog and the Internet. A few
legacy terminals connect directly to the catalog database.
■ Administration building—Most of the endpoints are wired worksta-
tions in the administration building, and most users need access to
confidential information, such as student records, loan information, and
university finances. The users’ level of expertise is usually fairly low; most
of them only need to use work-related applications. The endpoints consist
of wired workstations, printers, and databases as well as an IP telephone
exchange that serves all of the administrative and faculty offices across
campus. All of the workstations run a version of Microsoft Windows.
■ Engineering building—The users in the engineering building need both
wired and wireless access to the university LAN, and some need access
to specialized resources such as a 10-year-old UNIX supercomputer. Most
of the users are highly sophisticated in their computer expertise, and a
few have the skills to create and spread malware. Some endpoints belong
to the students, but others belong to the university (such as those in the
labs). Endpoints consist of wired workstations and wired and wireless