Access Control Fundamentals

In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.

5. Access Control Practices

Deny access to systems by undefined users or anonymous accounts.
Limit and monitor the usage of administrator and other powerful accounts.
Suspend or delay access capability after a specific number of unsuccessful logon attempts.
Remove obsolete user accounts as soon as the user leaves the company.
Suspend inactive accounts after 30 to 60 days.
Enforce strict access criteria.
Enforce the need-to-know and least-privilege practices.
Disable unneeded system features, services, and ports.
Replace default password settings on accounts.
Limit and monitor global access rules.
Ensure that logon IDs are nondescriptive of job function.
Remove redundant resource rules from accounts and group memberships.
Remove redundant user IDs, accounts, and role-based accounts from resource access lists.
Enforce password rotation.
Enforce password requirements (length, contents, lifetime, distribution, storage, and transmission).
Audit system and user events and actions and review reports periodically.
Protect audit logs.