Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

What is an Access Control?

An access control is a security feature that controls access to systems and resources in the network. The goal of an access control is to protect information from being lost, stolen, deleted, or modified either intentionally or accidently by those who are not authorized to access it. There are three methods of access:

• Network Access – Users on a network can access all the resources on the network. Hence, network access also needs to be restricted, protected, and monitored. For example, users who can access the HR and finance department LAN can be restricted.

• System Access – Users accessing the systems on the network. It can be one of the servers, printers, or any other shared device on the network. The access to these devices should be restricted, protected, and monitored continuously.

• Data Access – Users constantly accessing data on the network resource. Users accessing and modifying files, documents, and databases. Any data that is being accessed should be restricted, protected, and monitored.

The challenge of security programs is to ensure that data is not modified or deleted by unauthorized users. Although security programs cannot improve the quality of the data, they definitely can help in protecting data by applying access controls to ensure that any changes to data are intended and applied correctly. Access controls are a very critical requirement for both commercial and government organizations to prevent fraud and errors. It is imperative that no user can modify data in a way that renders the data corrupt or causes loss of financial integrity or make it unreliable for appropriate decision making. Examples of government systems include the Air Traffic Control system, Social Security, welfare system, IRS tax information, the birth and death registry, housing, and passport and military records. Examples of commercial systems include medical records, employee personal information, credit/ financial reporting, the payroll system, income tax information, and customer details.

Data integrity can be protected by granting access to the resources on a need-to-know and need-to-do basis.

Various types of users need different levels of access. For example, internal users may need full access whereas external users and contractors may need read-only access. Users should be granted access based on the roles, responsibilities, and job functions that they perform. Resources should also have different classification levels. For example, documents should be classified as confidential, private, public, or internal use only. A detailed log should be maintained so that in case of any fraud or data loss, logs can be reviewed to find out the root cause and the culprit. Access privileges should be judiciously granted on a need-to-know and need-to-do basis to ensure data is protected.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science