Wikia

The IT Law Wiki

Access control

31,971pages on
this wiki
Talk0

Definitions Edit

Access control (sometimes abbreviated as AC):

  • is "[t]he process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances)."[7]
  • is "[t]he mechanisms for limiting access to certain information based on a user's identity and membership in various predefined groups. Access control can be mandatory, discretionary, or role-based."[9]

Overview Edit

A basic management objective for any organization is to protect the resources that support its critical operations and assets from unauthorized access. Organizations accomplish this by designing and implementing controls that are intended to prevent, limit, and detect unauthorized access to computer resources (e.g., data, programs, equipment, and facilities), thereby protecting them from unauthorized disclosure, modification, and loss.

There are two types of access control: physical access control and logical access control.

Specific access controls include system boundary protections, identification and authentication of users, authorization restrictions, cryptography, protection of sensitive system resources, and audit and monitoring procedures. Without adequate access controls, unauthorized individuals, including intruders and former employees, can surreptitiously read and copy sensitive data and make undetected changes or deletions for malicious purposes or for personal gain. In addition, authorized users could intentionally or unintentionally modify or delete data or execute changes that are outside of their authority.

Forms of access controls Edit

Controlling access can be based on any or a combination of the following:

  • User identity
  • Role memberships
  • Group membership
  • Other information known to the system.

By controlling who can use an application, database record, or file, an organization can help to protect that data. It is particularly important to control who is allowed to enable or disable the security features or to change user privileges.

Users need to ensure that secure applications sufficiently manage access to data that they maintain. Access control includes any or all of the following: knowing who is attempting access, mediating access according to some processing rules, and managing where or how data is sent.

  • Identity-based Access Control. A security policy based on comparing the identity of the subject (user, group of users, role, process, or device) requesting access and the authorizations for this identity associated with the object (system resource) being accessed.
  • Information Flow Control. Information flow policies dictate whether information with a particular characteristic can move from one controlled entity (container or subject) to another. Information flow control is based on some fundamental characteristic of the information (not the container), and might not involve an identifiable subject.

References Edit

  1. Compendium of Approved ITU-T Security Definitions, at 2.
  2. Framework for Cyber-Physical Systems, at 5.
  3. NIST, FIPS 31.
  4. Cryptography's Role in Securing the Information Society, App. B, Glossary, at 353.
  5. ISO/IEC 18028-2: 2006-02-01.
  6. RFC 2828.
  7. FIPS 201.
  8. Technology Assessment: Cybersecurity for Critical Infrastructure Protection, at 44.
  9. Privacy Technology Focus Group Final Report, App. B, at 49.
  10. Intelligence Community Standard 700-01, at 2.

See also Edit

Around Wikia's network

Random Wiki