Question

You are hired in “Global IT Professional Pty Ltd” as an IT System advisor. The IT manager asked you to come with 15 lines report about Access Control Policies and choose the best category for you company with more than 17,000 employees. You need to explain why you have chosen that Access Policy. [16 Marks]

Answer 1

Typically, system administrators at the top of organizational and governmental agencies ascertain which individuals or systems will be given access to information. The access control policy outlines the controls placed on both physical access to the computer system (that is, having locked access to where the system is stored) and to the software in order to limit access to computer networks and data.

Access control policies provide details on controlling access to information and systems, with these topics typically covered at some length: the management of a number of key issues, including access control standards, user access, network access controls, operating system software controls, passwords, and higher-risk system access; giving access to files and documents and controlling remote user access; monitoring how the system is accessed and used; securing workstations left unattended and securing against unauthorized physical access; and restricting access.

Access is granted using a set of steps to make sure this user can access the requested resources. These steps are typically:

1. Identification
2. Authentication
3. Authorization

Mainly there are three types of access control policies;

Types of Access Control

Access control types include the following three that we'll look at one at a time.

1. Administrative Access Control- It sets the access control policies and procedures for the whole organization, defines the implementation requirements of both physical and technical access control, and what the consequences of non-compliance will be.

2. Physical access control It is critical to an organization's security and applies to the access or restriction of access to a place such as property, building, or room. Some examples are fences, gates, doors, turnstiles, etc., using locks, badges, biometrics (facial recognition, fingerprints), video surveillance cameras, security guards, motion detectors, man-trap doors, etc. to allow access to certain areas.

3. Technical or Logical Access Control - It limits connections to computer networks, system files, and data. It enforces restrictions on applications, protocols, operating systems, encryptions, mechanisms, etc.

There are three types of access control policies models;

• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Rule Based Access Control (RBAC)

Hopefully, I have convinced you to take a closer look at RBAC. RBAC is nothing more than the idea of assigning system access to users based on their role within an organization. The system needs of a given workforce are analyzed, with users grouped into roles based on common job responsibilities and system access needs. Access is then assigned to each person based strictly on their role assignment. With tight adherence to access requirements established for each role, access management becomes much easier.

With the proper implementation of RBAC, the assignment of access rights becomes systematic and repeatable. Further, it is much easier to audit user rights, and to correct any issues identified.

RBAC may sound intimidating, but it can in reality be easy to implement, and will make the ongoing management of access rights much easier and more secure.

The following steps are required to implement RBAC:

1. Define the resources and services you provide to your users (e.g., email, CRM, file shares, cloud apps) .
2. Create a mapping of roles to resources from step 1 such that each function can access resources needed to complete their job.
3. Create security groups that represent each role.
4. Assign users to defined roles by adding them to the relevant role-based groups.
5. Apply groups to access control lists on the resources (e.g., folders, mailboxes, sites) that contain data