Question

You are hired in “Global IT Professional Pty Ltd” as an IT System advisor. The IT manager asked you to come with 15 lines report about Access Control Policies and choose the best category for you company with more than 17,000 employees. You need to explain why you have chosen that Access Policy.

Answer 1

• Access Control Policies are certain policies established in a system to restrict access to workstations, file rooms containing sensitive data, entry doors, etc. It regulates who can view and what could be viewed by him, what or what could be used by him, designed in a way to minimze risk.
• Access cards/IDs have replaced the usage of keys in order to gain access to secured areas.
• The five major components of Access Control are:

1. Authentication - It is the process of validating personal identity documents, confirming the legitimacy of a website, checking login credentials, etc.
2. Authorization - The process of specifying access rights to the resources of the company.
3. Access - After being authenticated and authorized, it can access the resource.
4. Manage - The function includes adding and removing authentication and authorization of users, controlling and managing the access provided.
5. Audit - This process is used in order to enforce principle of least privilege. Regular audits minimize the risk of wrong accessing of resources.

• Access Control can be designed as:-

1. Physical Access Control
2. Logical access Control

• Physical Access Control regulates the access of campuses, buildings, etc.
• Logical access Control regulates the access of computer networks, files, username-passwords, and other sensitive data.
• The major goal of access control is to minimize the security risk of unauthorized access to the above mentioned physical and logical systems. It ensures that the security technology and access control policies are in place to protect confidential data and information.
• Access control policies outline the controls placed on physical access to the computer system and to the software as well, in order to restrict access to compute networks and data.
• These policies provide details on controlling access to information and systems, management of number of keys issued, including the access control standards, user access, network access, operating system software controls, usernames- passwords, higher risk system access.
• The three types of Access Control Systems are:-

1. Discretionary Access Control (DAC),
2. Mandatory Access Control (MAC), and
3. Role-Based Access Control (RBAC).

• Discretionary Access Control- is the system in which it holds the business owner is in charge of deciding the authorizations and authentications given to the people. The owner decides which people are allowed and where they're allowed to enter, physically as well as logically. DAC is considered to be the least restrictive system when compared to others, as the end-user completely control teh set security level settings for other users.
• Mandatory Access Control is used in those organizations or institutions where an elevated emphasis on the confidentiality and classification of data and information is required. Example of such an institution can be a military one. In this system, the owner does not have a say in the entities having access in a unit or facility. MAC classifies all end users and labels are given to them permitting the users to gain access upto their levels, based on the security provided with established guidelines.
• Role-Based Access Control, RBAC is the most common system often used in business. The privileges given to a user is limited and defined by their job responsibilities. Different roles/jobs have their access controls assigned to them. So, instead of assigning an individual with as a security manager, the job already has access permissions assigned to it.The role-based security model depends upon a compound structure of role assignments, role authorizations and role permissions adnvanced using role engineering to regulate employee access to systems.
• In the scenario described above, we could use Role-Based Access Control Policy for an IT company with more than 17,000 employees.
• This category of access control is chosen, since in such a big company with more than 17,000 people, each one of them has their own role in the company, or several people would be having the same designation, that could be of a developer engineer, or some may have a role of testing , and so on. The functions performed by one employe at times may overlap with each other, so to ensure openness and free flow of information, access based on roled would be a much better option to implement. The right people having a particular role would be able to access the right information, maintaing the security of the organization.Different levels of security would be provided for the business, reducing administration work and simplifying the whole system. Instead of the IT teams having to manage the security permissions given to an individual , every employee could be given permissions based on their roles and thus helping to increase the overall productivity of the organization. The result would be , insignificant workload could be reduced for the team and more important tasks would be on focus, as access controls would be defined on the basis of the role of employee.

Comment in case of doubts.