Information Security – Access Controls

One way of categorizing access controls is defining what they do. There are three different kinds of implementation: administrative, physical, and technical/logical (Peltier, 2013).

Administrative controls are the policies and procedures and are useful for dealing with insider threats. Physical controls are security guards, cameras, locks on doors and equipment. Technical controls are the encrypted devices like smart cards, biometrics readers, transmission protocols, which protect information systems and the information contained within.

The main access control models include the following

  1. Mandatory Access Control (MAC) – granting access by system policy. Often used with sensitive government systems where the system is top secret and confidential. It relies on sensitivity labels for data and classification levels for users.

    • Discretionary Access Control (DAC) – DAC is considered to be the more common access control model. Access permission is identity-based. All objects have an owner who grants access permission. Windows is an example of DAC. Creating a file in Windows makes you the owner automatically.
    • Role Based Access Control (RBAC) – Referred to as nondiscretionary access control and users are granted access based on their job or role within the organization. This model works well for organizations with a constant turnover of personnel (Peltier, 2013).

    • User Access Management – Ensures that only those with authorization have access to the system and those that don’t have the authority are kept out. ISO 27002 defines where user access management is to be used (Layton, 2016):

      1. User registration – It describes the way users access the system and the type of access allowed.
      2. Privilege Management – Used to adjust access when job or responsibilities change for the user within the organization. The principle of least privilege is applied, always grant the least privilege needed to accomplish the task.
      3. Password Management – Determines the length of passwords, the formatting of passwords, how often should they change, how long between changes can the same password be used again?
    • Unattended User Equipment – Defines how long an unattended laptop runs before being timed out and shutting down to prevent accessing information.


Layton, T. P. (2016). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: CRC Press.

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition. Boca Raton, FL: CRC Press.

Website Pin Facebook Twitter Myspace Friendfeed Technorati Digg Google StumbleUpon Premium Responsive

Author: Rich Garling

Successful results-driven experience in IT program/project management, focusing on collaborating with multiple businesses and IT workstreams to define detailed business process requirements into workable enterprise software solutions for retail, finance, pharmaceutical, and inventory processes. A successful proven track record in leading cross-functional international teams of project managers while managing expectations and delivering projects of greater than $10M within stakeholder expectations. Provided an in-depth knowledge of SDLC using Agile and Waterfall project management methodologies (Scrum Master (SMC)), MS IT Management/Project Management (AMU)), and a talent for developing business requirements delivering workable technology solutions. Rich holds a Bachelor of Science in Political Science from Northern Illinois University and a Master of Science in Information Technology/Project Management from American Military University. He is currently a Project Manager III for Bradford Hammacher Group in Niles, IL/