Access Control Program

Access Control Program

CIS502 Theories of Security Management

At the request of the CIO I have been asked to develop a well-organized and appropriately documented access control program and an implementation plan. In my efforts to present the requested information I would like to reiterate the importance of implementing security features that control how users and systems communicate and interact with other systems and resources.

While access controls do control how users and systems communicate and interact with other systems and resources, access controls also provide the organization the ability to control, restrict, monitor, and protect resource availability, integrity and confidentiality of objects including their information and data. A broad range of controls that force a user to provide a valid username and password to log thus preventing users from gaining access to a resource outside of their normal user space is known as access control.

Access controls can be divided into seven primary categories of function and purpose, these include the following:

Access controls can be further categorized by how they are implemented. In this case, the categories for implementation of these access control are administrative, logical/technical, or physical. Administrative controls are defined by the top management within an organization, access controls focus on two areas: personnel and business practices (e.g., people and policies). Administrative access controls include the policies and procedures as defined by an organizations security policy to implement and enforce overall access control. Technical controls sometimes called logical controls which are the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Physical access controls are the physical barriers deployed to prevent direct contact with systems or portions of a facility. Physical controls support and work with administrative and technical (logical) controls to supply the right degree of access control.

• Preventative access control is deployed to stop unwanted or unauthorized activity from occurring. This form of access might include fences, biometrics, mantraps, lighting, alarm systems or penetration testing.
• Deterrent access control is deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off, this form will include work task procedures and awareness training.
• Detective access control is deployed to discover unwanted or unauthorized activity.  Often detective controls are after-the-fact controls rather than real-time controls. Detective access controls include security guards, guard dogs, motion detectors, recording and reviewing of events seen by security cameras, job rotation, audit trails, intrusion detection systems, mandatory vacations, violation reports, and honey pots.
• Corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Corrective controls have only a minimal capability to respond to access violations often include intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.
• Recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies. Recovery controls have more advanced or complex capability to respond to access violations than a corrective access control. For example, a recovery access control can repair damage as well as stop further damage thru backups, restorations, server clustering, antivirus software and database shadowing.
• Compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of a security policy. Compensation controls are controls used in place of or instead of more desirable or damaging controls.
• Directive access control is deployed to direct, confine, or control the actions of subject to force or encourage compliance with security policies. This type of control includes security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training.

In order for the technical and logical controls managers to detect when suspicious activity has occurred on the network and have the ability to report up to administrators these managers would have to understand the following individual accountability, user authentication and the ability to perform system audits. In my opinion implementing technical and logical controls such as firewalls, protocols, encryption mechanisms, access control metrics, routers, intrusion detection systems, and clipping levels would help in these efforts.

To address a catastrophic incident, I would recommend to the managers that a detective, corrective, recovery and directive access controls be implemented with an administrative and technical/logic control. During a catastrophic event, the organization will need to determine & address the issue as quickly as possible, reducing the down time of employees. This happens with the administrative access controls which are the policies and procedures as defined by a security policy meant to implement and enforce overall access control within the organization. The logical access controls are those controls that either prevent or allow access to resources once a user’s identity has been authenticated.