Access Control Fundamentals

In information security, access control is imperative to ensure confidentiality, integrity, and availability. Controlling who has access to a system and the breadth of access a user has is vital to ensure the security of systems and data on the systems. Read this article to understand the terms access control, access, subject, and resource. Note the challenges, the principles, the criteria, and the practices used in access control.

8. Access Control Categories

8.1. Administrative

The administrative controls are defined by the top management in an organization.


Administrative Control Components

Policy and Procedures
  • A security policy is a high-level plan that states management’s intent pertaining to how security should be practiced within an organization, what actions are acceptable, and what level of risk the company is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the company.
  • The security policy provides direction for each employee and department regarding how security should be implemented and followed, and the repercussions for noncompliance. Procedures, guidelines, and standards provide the details that support and enforce the company’s security policy.


Personnel Controls
  • Personnel controls indicate how employees are expected to interact with security mechanisms, and address non-compliance issues pertaining to these expectations.
  • Change of Status: These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.
  • Separation of duties: The separation of duties should be enforced so that no one individual can carry out a critical task alone that could prove to be detrimental to the company.

Example: A bank teller who has to get supervisory approval to cash checks over $2000 is an example of a separation of duties. For a security breach to occur, it would require collusion, which means that more than one person would need to commit fraud, and their efforts would need to be concerted. The use of separation of duties drastically reduces the probability of security breaches and fraud.

  • Rotation of duties means that people rotate jobs so that they know how to fulfill the obligations of more than one position. Another benefit of rotation of duties is that if an individual attempts to commit fraud within his position, detection is more likely to happen if there is another employee who knows what tasks should be performed in that position and how they should be performed.


Supervisory Structure
  • Management must construct a supervisory structure that enforces management members to be responsible for employees and take a vested interest in their activities. If an employee is caught hacking into a server that holds customer credit card information, that employee and her supervisor will face the consequences?


Security-Awareness Training
  • This control helps users/employees understand how to properly access resources, why access controls are in place, and the ramification for not using the access controls properly.


Testing
  • This control states that all security controls, mechanisms, and procedures are tested on a periodic basis to ensure that they properly support the security policy, goals, and objectives set for them.
  • The testing can be a drill to test reactions to a physical attack or disruption of the network, a penetration test of the firewalls and perimeter network to uncover vulnerabilities, a query to employees to gauge their knowledge, or a review of the procedures and standards to make sure they still align with business or technology changes that have been implemented.


Examples of Administrative Controls

  • Security policy
  • Monitoring and supervising
  • Separation of duties
  • Job rotation
  • Information classification
  • Personnel procedures
  • Investigations
  • Testing
  • Security-awareness and training