What is Access Control Policy
Considered a key component in a security plan, access control policies refer to rules or policies that limit unauthorized physical or logical access to sensitive data. An access control policy secures sensitive data and minimizes the risk of an attack. Access control policies function by authenticating user credentials, proving their identity, and allowing the pre-approved permissions associated with their username and IP address. Access control ensures that subjects can only access objects using secure and pre-approved methods.
Physical access control refers to securing facilities, offices, and physical components of an IT system.
Logical access control limits connections to computer networks, information system files, and data.
When discussing access control security policies, the terms subject and objects are often used.
A subject is an entity that attempts to access a resource. For example:
- Humans
- Commenced tasks
- Batch jobs
An object is a system resource that needs controls and limitations to its accessibility. For example:
- Data sets
- Commands
- Terminals
- Files and folders
4 Types of Access Control Policies
Organizations use different access control models depending on their compliance requirements and the security levels of the systems they are trying to protect. In today’s interconnected web of hybrid and cloud-based work environments, understanding the types of access control can help you strengthen security. A number of access control policies have been developed to provide reliability and security across a range of network types.
Discretionary Access Control
In a DAC system, a file creator has the right to assign their own access permissions and can assign sharing parameters with any recipient they designate. The file creator usually maintains full control over these settings and can change them anytime they wish. Most DAC systems usually have an administrator that can override a user’s permissions.
Conditions where users control and share data at their discretion are susceptible to data breaches.
Mandatory Access Control
Mandatory access control (MAC) is common in government and highly regulated organizations. With mandatory information access control policies, the system administrator configures access rules by assigning security permissions to subjects as well as objects. Subjects can only access objects that are within their defined hierarchy. The structure of a MAC aligns with highly secure organizations where access is based on the subject’s clearance level.
MAC strictly enforces a Zero Trust model of security and only shares information with those who have a “need to know”.
Rule-Based Access Control
Rule-based access control (RUBAC) is commonly used with networking equipment. RuBAC rules are global: they apply to all subjects equally across the board. They work well with networking equipment like firewalls and routers. Typically, RuBAC policies don’t allow for implicit access; instead, they usually function on an implicit deny basis, only making allowances where rules explicitly say to do so. Rule-based access control guidelines also align with the zero-trust security model.
Role-Based Access Control
Role-based access control (RBAC) uses roles and user groups to categorize access controls. With RBAC, system administrators assign roles to subjects and configure access permissions to apply at the role level. Based on a subject’s role, permission to access a resource will automatically be granted or denied. In a static environment that doesn’t have frequent shift changes, RBAC can create an effective access management policy.
Generally, businesses with smaller applications will find DAC to be easier to implement. Others with highly confidential or sensitive information may decide to use RUBAC, RBAC, or MAC systems.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
NIST Access Controls
Companies that are contracted by or provide services to the Department of Defense (DoD) are required to meet certain security thresholds. These are defined in the Defense Federal Acquisition Register Supplement (DFARS). The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework to guide companies in their DFARS compliance process, including NIST Access Control requirements specified in the NIST (SP) 800-171.
NIST Access Control Basic Security Requirements
Access Control is one of 14 broad requirement families within the NIT SP 800-171 framework. The basic requirements for each NIST SP 800-171 requirement family establish its general focus. In the case of Access Control, there are two basic policy requirements.
- 3.1.1 – Limit access to systems to only authorized users, processes, or devices.
- 3.1.2 – Limit access to systems to only functions that authorized users may
Most NIST SP 800-171 Families also include derived requirements, which further break down the basic requirements into more specific control recommendations. The Access Control requirement is the most robust family, with 20 derived requirements. The following are the first 3 derived NIST access control policy examples, as stated on NIST’s website.
- 3.1.3 – Control flow of Controlled Unclassified Information (CUI) through approval.
- 3.1.4 – Logically separate individuals’ duties to avoid harmful non-collusive actions.
- 3.1.5 – Employ the “least privilege” principle for all accounts (including privileged ones).
Access Control is a Crucial Security Control
An effective access control security policy is one of the crucial elements of any organization’s digital security initiative. Like managing any aspect of security, an access control security policy requires extensive planning and assessment to develop, implement, and maintain.
The Centraleyes team is here to help you implement and manage compliance with tens of frameworks, ensuring your IT systems are kept up-to-date with mandated and internal security controls. Centraleyes Risk and Compliance Management platform provides automated solutions for every step of the compliance process. The 50+ pre-built frameworks mean the platform has the guide to implement appropriate internal controls for every industry. Most importantly, the platform will scale up with you and adapt to change as you grow, enabling the process to add new internal controls with ease.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
