Question

You are hired in “Global IT Professional Pty Ltd” as an IT System advisor. The IT manager asked you to come with 15 lines report about Access Control Policies and choose the best category for you company with more than 17,000 employees. You need to explain why you have chosen that Access Policy. [16 Marks]

Answer 1

Access Control Policy

Information is a valuable asset and access to it must be managed with care to ensure that confidentiality, integrity and availability are maintained.Access Control is a security technique that regulates who or what can view or use resources in a computing environment.

It is a fundamental concept in security that minimize risk to the Business or Organization.

There are two types of access control

1.Physical access control

2. Logical access control

Physical Access Control :

Physical access control limits access to campuses, buildings, rooms and physical IT assets.

Logical Access Control:

Logical access control limits connections to computer networks, system files and data.

To secure a facility, organizations use electronic access control systems that rely on user credentials, access card readers, auditing and reports to track employee access to restricted business locations and proprietary areas, such as data centers. Some of these systems incorporate access control panels to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities, to prevent unauthorized access or operations.

Access control systems perform identification authentication and authorization of users and entities by evaluating required login credentials that can include passwords, personal identification numbers, biometric scans, security tokens or other authentication factors. Multifactor authentication, which requires two or more authentication factors, is often an important part of a layered defense to protect access control systems.

How access control works?

These security controls work by identifying an individual or entity, verifying that the person or application is who or what it claims to be, and authorizing the access level and set of actions associated with the username or Internet Protocol address.Organizations use different access control models depending on their compliance requirements and the security levels of information technology they are trying to protect.

Types of access control

1. Mandatory access control

2. Discretionary access control

3. Role-based access control

4. Attribute-based access control

Implementing access control

Access control is a process that is integrated into an organization's IT environment. It can involve identity management and access management systems. These systems provide access control software, a user database, and management tools for access control policies, auditing and enforcement.

When a user is added to an access management system, system administrators use an automated provisioning system to set up permissions based on access control frameworks, job responsibilities and workflows. The best practice of least privilege restricts access to only resources that employees require to perform their immediate job functions.

Challenges of access control

Many of the challenges of access control stem for the highly distributed nature of modern IT. It is difficult to keep track of constantly evolving assets as they are spread out both physically and logically.

1. Dynamically managing IT environments

2. Password Fatigue

3. Compliance Visibility

4. Data goverence and visibility through consistent reporting

Access control software

There are many types of access control software and technology, and often, multiple components are used together to maintain access control. The software tools may be on premises, in the cloud or a hybrid of both. They may focus primarily on a company's internal access management or may focus outwardly on access management for customers.

1. Reporting and Monitoring Applications

2. Password Management Tools

3. Provisioning Tools

4. Identity Repositories

5. Security Policy Enforcement Tools