One of the core policies in an information security management system is the access control policy. It is also one of the critical domains of ISO 27001 controls. This policy aims to manage and minimize the potential exposure of an organization’s information and data from unauthorized access, which will optimize the confidentiality, integrity, and availability of information systems and apps.
What are the 3 types of access control?
Access controls can be applied physically or logically. While physical access controls are easily understood, logical access controls have three types.
Discretionary Access Control
Also called DAC (Discretionary Access Control), this type of access control is based on pre-determined rules of access. Each user access has an administrator who determines what type of access and to what extent it will be granted. The administrators exercise discretion based on management instructions.
Role-based access control
The second type of access control is RBAC (Role-based access control). In this case, the access is not based on an individual, but according to the role they perform in an organization. There is less discretion because a user will get all the access that is associated with their role. The administrators create roles and then assign employees to one of the roles, and the access flows to the user from what has been built into that role.
Attribute-based access control
Attribute-based access control (ABAC) is the most granular type of access control in which the administrators not only take into account the role of the user but also their risk profile into account, and the access is determined based on evolving risk according to the individual users. For example, some of the additional factors that might be considered include access location, time of access, type of file being accessed, and time of file creation, etc.
We will now discuss different types of access that an access control policy tries to address. Still, first, we need to understand the need-to-know principle, which is the foundation of any access control exercise.
The Need-to-Know Principle of Access Control
The need-to-know principle mandates that the extent of access granted to users must be dictated by the resources (physical and logical) that they need for the performance of their job. Therefore, if someone doesn’t need access to sensitive or confidential data as part of their job, it should not be available to them.
The need-to-know principle has been shown to significantly reduce exposure of private and sensitive data and information. Therefore, it is considered as the foundation of all access control policies. The risk profile of information/data increases in direct proportion to the number of people who can access it.
For example, users who are on the marketing team may not need access to customers’ billing or other private information. Therefore, based on this principle of least privilege, they should not be able to access this information.
In general, an Access Control Policy must address the following types of access at the minimum:
Only those personnel should be allowed to access physical systems. The more sensitive an information processing facility is, the more strict the physical access policy should be. For example, data centers should have more physical access controls because they host all the data and information.
The use of access identification badges and logs of access to the data center is the bare minimum physical access requirement. In addition, all physical access should be approved and authorized. Therefore, physical access of terminated employees or those contractors or third parties who are now allowed to access information processing facilities should be revoked.
The logical access is controlled through the creation of individual accounts. The access privileges built into these accounts should be based on the users’ needs. The password policy is also part of logical access, and the strength of passwords should be enforced to make sure that users are using strong passwords.
A key part of logical access is controlling administrative accounts. Since these accounts have the most powerful privileges, their creation and deletion should be strictly controlled.
Administrative accounts should be individual without any sharing between administrators so that their actions can be individually accounted for. And this means that it is critical that administrative accounts are logged, and logs are reviewed by management.
We are fast moving to an environment where users perform their jobs remotely by logging onto company systems and apps. This means that remote access should be carefully evaluated, and necessary policy guidelines about remote access should form part of the Access Control Policy.
All remote access, especially if VPN accounts are involved, must be approved based on the need for remote access. It should not be allowed to those who do not need it for their jobs.
It will be a good practice to make it mandatory to use two-factor authentication to allow remote access. Users must also be required to use only officially approved devices for remote access to information systems and apps.
What to Include in an Access Control Policy Document?
The Access control policy must clearly specify to who this policy applies. Also, the policy must clearly specify rules for different user classes and the resources under the Access Control Policy. For example, the rules applicable to a privileged user might differ from those applicable to an end user.
The purpose of adding information about scope applicability is to make sure that there is no ambiguity. The users may assume that it doesn’t apply to them if it doesn’t clearly say that it applies.
The Access Control Policy also educates users about the need for it. There are two goals that it serves. First, it reduces the exposure of an organization’s information and data to unauthorized access. The whole purpose of an information security management system is reducing risk and Access Control Policy is one such tool to do that.
Second, the policy ensures confidentiality, integrity, and availability of information, data, and information processing facilities.
If users are aware and understand the importance of the Access Control Policy, they are more likely to comply with it.
Auditing Access Control Policy
Publishing an access control policy is one thing, but it may never succeed if its compliance is not monitored. The best way to do this is to audit users’ access. Because of the changes in technology, access might need to be reviewed. Also, change in users’ roles may require giving them additional roles. But administrators usually do not have time to revoke their previous access if they no longer need it. A regular audit of the Access Control Policy ensures that it is current and remains within defined rules.
Implementation of Access Control Policy
Usually, access control policy is a higher-level document that makes strategic commitments and prescribes overall policy guidelines. To effectively implement, detailed procedures need to be developed and adopted. For example, detailed procedures for password control will be needed to implement the rules and guidance given in the Access Control Policy.
An access control policy on its own doesn’t do much. For it to be effective, it must be supported by methods, procedures, and some form of access control model.
It is also important that any policy also specifies the action that may be taken in case of wilful non-compliance. Usually, the policies have an adherence clause that states that compliance is mandatory and non-compliance will invite disciplinary action.
System-Created Access Control Policies
Access control policies are also built into devices, apps, and operating systems. This is also called policy-based access control. They are different from an overall Access Control Policy in the sense that they are tools to implement the approved policy.
For example, a firewall might have a default policy already built in, which will need to be configured based on the policy mandated by the senior management.