Question

You are hired in “Global IT Professional Pty Ltd” as an IT System advisor. The IT manager asked you to come with 15 lines report about Access Control Policies and choose the best category for you company with more than 17,000 employees. You need to explain why you have chosen that Access Policy.

Answer 1

Report on Access Control Policy for “Global IT Professional Pty Ltd”

This report explains the reason behind selecting a definite Access Control Policy for “Global IT Professional Pty Ltd” company.
Following are different types of Access Control Policies:
1. MANDATORY ACCESS CONTROL (MAC):
Key points:

- Used by military.

- Emphasis on confidentiality and classification.

- Low risk and high monitoring.

- Not suitable for an IT company as it is too strict.

2. DISCRETIONARY ACCESS CONTROL (DAC):
Key points:

- Least restrictive.

- Allows complete control over objects or programs.

- High risk and low monitoring.

- Dangerous for IT company as it can lead to security issues and malware injection.

3. ROLE-BASED ACCESS CONTROL (RBAC):
Key points:

- Moderate restriction based on roles and responsibilities.

- Provides access based on job titles.

- Restrict access to special areas.

- Most suitable for an IT firm.

Reasons for selecting ROLE-BASED ACCESS CONTROL (RBAC)

Below are the reasons for selecting "ROLE-BASED ACCESS CONTROL (RBAC)" as the Access Control Policy for “Global IT Professional Pty Ltd” company:

1. As we are 17,000 employees with job titles based on responsibilities and roles, ROLE-BASED ACCESS CONTROL (RBAC) will be suitable to grant entry to employees based on their role within the company.

2. Permissions and restrictions can be easily applied based on job titles and roles in the company.

3. Access can be changed within the company in scenarios such as promotion, hiring and changing positions.

4. ROLE-BASED ACCESS CONTROL (RBAC) doesn't provide access based on individuals, but assigns access based on specific job titles.

5. For example, if an individual is promoted to senior management role, then he will automatically gain access assigned to a senior manager.

6. No extra work required to provide access based on individual.

7. 17,000 employees can be easily segmented based on job titles.

8. Each segmented job title will be given specific access depending on job responsibilities.

9. Access can be limited or removed for job titles to restricted areas in the organization.

10. MANDATORY ACCESS CONTROL (MAC) is too strict and cannot be used in an IT company.

11. MANDATORY ACCESS CONTROL (MAC) requires micro management in giving access.

12. DISCRETIONARY ACCESS CONTROL (DAC) is least restrictive and cannot serve the purpose for access control in “Global IT Professional Pty Ltd”.

13. DISCRETIONARY ACCESS CONTROL (DAC) may cause virus/malware problems in projects related to IT.

14. Thus, ROLE-BASED ACCESS CONTROL (RBAC) is the most suitable access control policy for an IT company such as “Global IT Professional Pty Ltd”.

15. ROLE-BASED ACCESS CONTROL (RBAC) provides a balance between security and ease of gaining access based on job titles.