Information Security – Access Controls

One way of categorizing access controls is defining what they do. There are three different kinds of implementation: administrative, physical, and technical/logical (Peltier, 2013).

Administrative controls are the policies and procedures and are useful for dealing with insider threats. Physical controls are security guards, cameras, locks on doors and equipment. Technical controls are the encrypted devices like smart cards, biometrics readers, transmission protocols, which protect information systems and the information contained within.

The main access control models include the following

  1. Mandatory Access Control (MAC) – granting access by system policy. Often used with sensitive government systems where the system is top secret and confidential. It relies on sensitivity labels for data and classification levels for users.

    • Discretionary Access Control (DAC) – DAC is considered to be the more common access control model. Access permission is identity-based. All objects have an owner who grants access permission. Windows is an example of DAC. Creating a file in Windows makes you the owner automatically.
    • Role Based Access Control (RBAC) – Referred to as nondiscretionary access control and users are granted access based on their job or role within the organization. This model works well for organizations with a constant turnover of personnel (Peltier, 2013).

    • User Access Management – Ensures that only those with authorization have access to the system and those that don’t have the authority are kept out. ISO 27002 defines where user access management is to be used (Layton, 2016):

      1. User registration – It describes the way users access the system and the type of access allowed.
      2. Privilege Management – Used to adjust access when job or responsibilities change for the user within the organization. The principle of least privilege is applied, always grant the least privilege needed to accomplish the task.
      3. Password Management – Determines the length of passwords, the formatting of passwords, how often should they change, how long between changes can the same password be used again?
    • Unattended User Equipment – Defines how long an unattended laptop runs before being timed out and shutting down to prevent accessing information.


Layton, T. P. (2016). Information Security: Design, Implementation, Measurement, and Compliance. Boca Raton, FL: CRC Press.

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition. Boca Raton, FL: CRC Press.