Role of Access Control
Explain the role of access control in organisation and the primary categories used to define access to data
Role of access control
Access control is a set of protocols that acts as gatekeepers to blocks unauthorised users and devices from accessing a private network, or give restricted access to external users. The policies prevent unwanted intruders from entering the network or data from leaving. Access controls can be either administrative, technical or physical. Administrative control is a set of policies and procedures implemented by SysAdmin to give the right level of privileged access to a company’s resources. It would also include HR for putting together training. Physical control is equipment used to physically control access to a place. This could be the use of surveillance cameras, biometric scanners, identity badges, alarm systems, etc. Technical control is the use of networking and IT skills to configure access control lists, firewalls and network authentication, or to encrypt rest or transit data, etc.
Primary categories used to define access to data
Directive
A directive access control is a set of guidelines, instructions, or procedures employees must adhere to to remain compliant with the security policies. Administrative controls include employee handbooks, instruction signs on a wall, inductions and mandatory awareness training. Technical controls can be a warning banner on a web page or options that appear on the screen to encourage employees to select the recommended option. Physical controls can be a security guard.
Preventative
A preventative access control’s aim is to prevent unauthorised access. Administrative controls include hiring and termination policies, separation of duties and data classification. Technical controls include firewalls, multi-factor authentication and antivirus software. Physical controls include fences, gates, locks and mantles.
Compensating
A compensating access control is substitute for when the first line of defence fails. Administrative controls include supervision for senior guidance and job rotation for broad knowledge. Technical controls include keystroke logging, segmenting the network so if one network is compromised, the other networks are safe, HTTPS and SSL. Physical controls can be CCTV and layered defence such as the turnstiles at the main entrance and badged access at every door inside the building.
Detective
A detective access control detects a security breach and raises the alarm to the designated personnels who could be a security guard, SOC analyst etc. There may be automated containment. Administrative controls include audit logs and unauthorised changes and review of access rights. Technical controls may include monitoring the intrusion detection system (IDS) or creating honeypots to entrap hackers. Physical controls to detect trespassers or unauthorised staff include CCTV or motion sensors.
Corrective
A corrective access control is a tool to rectify or contain a security breach. This could be applying a patch to eliminate identified vulnerabilities and the likelihood of the same incident from recurring, or reduce the effects or the spread of a virus by disconnecting computers from a breached network. Administrative controls include implementing a business continuity plan and reporting to the Information Commissioner’s Office within 72 hours. Technical controls include vulnerability patching, rebooting a system and quarantining a virus. Physical controls include repairing physical damage and reissuing access cards.
Recovery
A recovery access control is a set of procedures to store the business, computer systems and data to its normal condition after a security breach. An administrative control could be to implement a disaster recovery plan (DRP). A technical control could be using backups. A physical control could be to reconstruct a place, a fence, etc.