Access Control Program
Introduction
Access control refers to the restriction of access to a property, a room, data or files in an office to unauthorized persons by the owner. There are two main types of access controls; physical and logical access controls. Firstly, this paper discusses the seven primary categories of access control. They include; Rule Based Access Control, Role-based Access Control, Mandatory Access Control, History Based Access Control, Descretionary Access Control, and Attribute Based Access Control, and Web Based Access Control. Secondly, it discusses the logical and physical control programs that management should implement to detect any suspicious activity that happens within a network. They include; computer control, personnel control, network segregation, perimeter security, supervisory structure, and data backup.
The primary categories of an access control system that managers may choose include Role-Based Access Control (RBAC) which gives access based on the job position of an employee. Managers can use the program to determine who created a network account because only network administrators have permission to conduct such tasks. RBAC is mainly based on context (Zhang, 2019). They can also use this type of access control to determine the identity of a person who accessed the premises or facilities that they were not allowed to and at what time this took place. RBAC should be implemented in an administrative way because it is a type of access control that follows the rules that only network administrators have the permission to conduct tasks.
Mandatory Access Control (MAC) does not give users a lot of freedom to choose who can have access to their files. In this type of access control, an operating system grants or denies access to subjects. In practice, the subject is a thread of files and memories. Managers would use this type of access control to know who accessed confidential or top secret data without permission. MAC should be implemented in a logical way because it is an access control that uses an operating system (Cicnavi, 2012). History-based access control (HBAC) grants or declines access based on the Assessment of the history of activities of the inquiring individual, for instance, the content of their requests, and time between their different requests. Managers would use this access control to know who had access and who did not, to certain data or services, and the time. HBAC should be implemented in a logical way because the history of the workers is stored in a computer system.
Rule based access control is a type of access control in which an operating system grants or denies access to an individual for an operation according to the rules given to it through programming. This type of access control should be implemented by managers to control access to some programs.(Branchman, 2006). Rule Based Access Control should be implemented in a logical way because it is a type of access control that uses computer programs. Discretionary access control (DAC), the owners of the data determines individuals that can access specific data or resources. Managers can use this type of access control to determine who can have access to their sensitive information and data. Managers should implement DAC in an administrative way because it rule-based type of access control. (Cicnavi, 2012).
Attribute Based Access Control (ABAC) is a type of access control that grants access depending on an Assessment of attributes. Access is granted or denied depending on the arbitrary attributes of the object, and those of the user. It is a logical access model that evaluates rules against the attributes of the entity that is requesting access to an operation or an environment. This type of access control should be implemented through a logical way because it is a logical access control. (Vincent et al, 2014). Web Based Access control system is provides access to a network remotely. It covers all the entry points in the world and can be controlled from different sites at the same time. It can incorporate both wireless and cable networks to manage locks, and readers. This type of access control should be implemented in a logical way because it uses internet from a computer to grant or deny access to a network. (Kisi).
The logical or technical controls that managers would implement to detect any suspicious activity that occurs on a network include policies and procedures. Basically, security policies are plans that show the intentions of the management within an organization. The risk levels that the company is willing to accept and the actions are considered acceptable (Collins, 2013). Computer control is a measure that managers should implement. Each computer in the organization can have a physical control installed and configured for instance locks, to ensure that the internal parts cannot be stolen, or remove the CD-ROM and floppy drives to prevent any confidential information from being copied. Computer control can be implemented in a physical way because it use locks to control access to a computer. Another control is personnel controls which demonstrate how employees are expected to interact with security mechanisms and address non-compliance issues related to these expectations. It should be implemented in an administrative way because the administration gives its employees guidance on how to interact with the security machanisms. Another control is network segregation, which can be carried implemented through both technical and logical means. A section of the network, including the web servers, routers and switches may have employee workstations.
Another control is perimeter security. It is usually implemented on the basis of the company and the security requirements of the business environment. For instance, one environment may require that employees have authorization by a security guard by showing their identity cards, while another environment may require no authentication for access in the premises. It should be implemented in a physical way because access is granted or denied by a security guard upon verification of a tangible ID card. (Undercoffer, Avancha, Joshi, & Pinkston, 2002).
Through the implementation of the supervisory structure, the organization’s management should make a supervisory structure that enforces management members to have the responsibility for their employees and for them to take vested interests in their activities. It should be implemented in a logical way because the administration makes the supervisory structure (Collins, 2013). Data backups should also be implemented as a control. Data should be backed up as a measure of ensuring that information can be retrieved after an emergency like data loss or a disruption of the system or network. It is implemented in a logical way because this kind of access control uses computer programs for backup. Examples of technical controls include the installation of a firewall, antivirus, audit logs, encryption, routers, and alarms and alerts.
Since many senior executives are concerned that the IT systems would not be able to handle incidents, I would recommend that the management implement RBAC. This would help them control the personnel that accesses the company networks and perform specific operations and during a catastrophe. This is to ensure that no unauthorized individuals can access the company’s data and sensitive information at that time (Ferraiolo, Kuhn, & Chandramouli, 2003). Only members of the staff with various assigned roles can have the permission to perform certain operations that are needed to perform some operations.
Physical access controls are used by companies to protect the hardware setups from unauthorized physical access via the common or the same security procedures that protect their trade secrets and everything else in their geographic location. These physical protections include security gates in the premises, ID badges, and more advanced security measures like biometric identification. In addition, the company should adopt a security method of identification of key users who are vetted and given security clearance (Collins, 2013). This would be a good measure to ensure that no unauthorized personnel can access the premises during a catastrophe.
Logical access controls, on the other hand, are protocols and tools that are used for identification, accountability, authorization, and authentication of information systems in a computer. Logical access is needed for remote access of hardware where equipment is used and stored. It enforces the measures for access control for programs, systems, information, and processes. These controls can be infused within applications, operating systems, added security packages, and databases. Logical controls protect the systems, data, and networks, and also the environment that protects them.
In conclusion, the seven primary categories of access control are; Rule Based Access Control, Role-based Access Control, Mandatory Access Control, History Based Access Control, Descretionary Access Control, and Attribute Based Access Control, and Web Based Access Control. And there are several technical and logical controls that should be implemented by managers to detect any suspicious activity in a network.
References
Branchman. B, (2006). Rule Based Access Control. IBM Developer. Retrieved from https://www.ibm.com/developerworks/library/ws-soa-access/
Collins. L, (2013). Access controls in Cyber Security and IT Infrastructure Protection. Science Direct. Retrieved from: https://www.sciencedirect.com/topics/computer-science/logical-access-control
Cicnavi, (2012). Overview of Four Main Access Control Models. Utilize Windows. Retrieved from: https://www.utilizewindows.com/overview-of-four-main-access-control-models/
Ferraiolo, D., Kuhn, D. R., & Chandramouli, R. (2003). Role-based access control. Artech House. Retrieved from: https://eprints.usq.edu.au/5979/2/Little_Best_MAJ_v18n5_AV.pdf
Undercoffer, J., Avancha, S., Joshi, A., & Pinkston, J. (2002, October). Security for sensor networks. In CADIP Research Symposium (pp. 25-26). Retrieved from: https://www.csee.umbc.edu/csee/research/cadip/2002Symposium/sensor-ids.pdf
Vincent. et al, (2014). Guide to Attribute Based Access Control (ABAC) Definitions and Considerations. NIST Special Publication 800-162 retrieved from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-162.pdf
Zhang. E, (2019). What is Role-Based Access Control? Examples, Benefits, and More. DataInsider. Retrieved from: https://digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more