INFORMATION SECURITY ACCESS CONTROL

What is Access Control?

In Information Security, access control refers to limiting access to particular locations or resources. The term ‘access’ can refer to opening, editing, viewing or using a resource. Access control allows you to know who is given permission to view and change documents, as well as physical access to the organisation’s offices and buildings.

Why is access control important?

An information security management system (ISMS) determines who in your organization has access to the right information at the right time. Controlling access is therefore vital.

To minimize risk or threats entering an organization, procedures should be in place to prevent just anybody from accessing and using their resources.

When you accidentally allow unauthorised personnel access to employee personal information, you will face some major consequences. The public may be able to see information about employees’ salaries. Businesses face a serious threat in this regard.

A strong access control system not only ensures that you know who has access to what documents but will also make it easier to achieve certification to ISO 27001. This will in turn, gain an increased level of trust from customers as they will know their information is safe.

What are the types of access controls?

You can control how people access your system with three types of access control:

Types of access controls

 

  1. Discretionary Access Control (DAC)

 Access controls can be digitally or physically controlled to control how your system is viewed. As an administrator, you have the power to manage roles centrally, so it is a user-friendly solution. Each entry point will have an access control list (ACL) listing the groups or individuals who have access.

  1. Mandatory Access Control (MAC)

Most organizations that require a high level of confidentiality for their data use this type of access control. Governments or military entities commonly use it because it is the strictest option. All end users will typically be classified and provided with labels to gain access if this type of access control is used. Access could be gained via keypads or swipe cards.

  1. Role-Based Access Control (RBAC)

Access control of this type is sometimes referred to as non-discretionary, since it grants access to users based on their role within the organization. Consequently, you can assign access according to job title to specific people. It is advantageous to use this type of access control when it comes to promotions. When a member of your organization is promoted, and a new employee is hired to fill the position, you can use the change in position to assign key card access to areas appropriately.

In terms of what type of access control your organization decides to use, it will depend on the type of industry you operate in, as well as the size of the business. The use of DAC may be beneficial if your organization has basic or small applications. In contrast, if your business platform contains highly sensitive, confidential or private information, you may be better off with a MAC or a RBAC.

 

Use SHEQ software

To design and implement a Quality Management System, SRM and many of our clients use Mango Compliance Software – www.mangolive.com Mango makes it easier to obtain and maintain ISO 9001:2015 certification.

 

SRM is ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 certified. Contact our consultants today. Let us know if we can help you with the development and implementation of your Quality Management System.