This is where access control requirements come into play. Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization.

In access control, there are two types of control: logical and physical.

Logical Access Control

Logical access control limits connections to computer networks, system files and data. During logical access controls, there are be strict access requirements established and separation of duties.

When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows. Access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include passwords, personal identification numbers (PINs), security tokens or other authentication factors.

As an example, we have a development project. There is the Developer, the Quality Assurance (QA) person, and the Release Manager or similar role. An example access control process would proceed in the following stages:

The Developer first develops the project. When the development stage is finished, the QA team starts running the test cases. The Developer should never sign-off on his/her code for production release. There instead needs to be a separate Quality Assurance (QA) person to test code, identify defects for the Developer to fix, and recommend code be deployed into production. Alternatively, the QA person should never deploy the tested code into production, that would be the responsibility of the Release Manager or similar role. All of these roles have their separate user login credentials with customized access controls implemented to successfully perform their specified job duties. This process follows the separation of duties, which is a strict requirement of SOX, COBIT, and other governing bodies.

Physical Access Control

Physical access control limits access to campuses, buildings, rooms and physical IT assets. To secure a facility, organizations use electronic access control systems that rely on user credentials, access card readers, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings as well as alarms and lockdown capabilities to prevent unauthorized access or operations.

With appropriate access controls implemented, this restricts access to only resources that an employee requires to perform their immediate job functions for business productivity and minimize vulnerabilities.

Tags : #CYBER SECURITY #ACCESS CONTROL