A.9. Access Control
To begin with “ if you have no access control means you have no security at all.”
Access control is one of the main building blocks of information security. It is to be designed as it is both secure enough and acceptable to users.
The purpose of this document is to specify the rules for access to various systems, sensitive information and equipment facilities.
Using an access control system allows you to manage access or entry to almost anything like file access, workstation access, printer access and in our case, door-, facility-, building or office access.
There are two main types of access control – Physical and logical .
Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.
Basic components of access controls are :
- User facing (access card)
- Admin facing(API)
- Infrastructure(Electric door lock)
Access control policy make sure that both logical and physical access to information system are in place to ensure the protection of information system and sensitive data.
Factors of authenticating information :-
- Password , PIN (user knows)
- Smart card (user has)
- Fingerprint (user is)
For computer security, access control includes the authorization, authentication and audit of the entity trying to gain access. Access control models have a subject and an object. The subject – the human user is the one trying to gain access to the object – usually the software. In computer systems, an access control list contains a list of permissions and the users to whom these permissions register. Such data can be viewed by authorized people and not by unauthorized people and is controlled by access control. This allows an administrator to protect information and set privileges as to what information can be accessed, who can access it and at what time it can be accessed.