What is Access Control (AC)?
Access is the ability to make use of any system resource. This includes logging into computers, connecting to a network via a VPN or being able to physically reach a defined area such as a server room.
Access control is the process of granting or denying requests to use information (both in digital & non-digital form), to use information processing services such as computer systems, and to enter company facilities. Access can be divided into two categories, logical access and physical access. In this article we will be discussing logical access control.
Logical access involves access to system resources such as computers, networks, and digital information, as a result they are “system-based”.
Logical access controls define who or what is permitted to have access to a system resource, as well as the type of access that is permitted. Logical access control mechanisms are often built into operating systems (e.g., windows user accounts), incorporated into applications (e.g., database management systems, communications systems), or implemented through add-on security applications.
Principals of Access Control (AC)
There are several key principals required for effective access control, these include:
Need to Know: Users, systems, and processes should only have access to the information and resources required to complete their assigned job function.
The Principal of Least Privilege: Users systems, and processes should only be granted the privileges necessary to complete their assigned duties.
Separation of Duties: Separating any areas of conflicting responsibility to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets and/or information.
Cybersecurity Maturity Model Certification (CMMC) Requirements
- Establishing system access requirements (Applies to all CMMC levels)
- Controlling internal system access (Applies to all CMMC levels)
- Controlling remote system access (Applies to CMMC Levels 2-5)
- Limiting data access to authorized users and processes (Applies to all CMMC levels)
Implementing Logical Access Control (AC)
The extent to which your organization controls access to its systems and data is dependent on the CMMC level you are trying to achieve however the following are applicable to most CMMC levels:
- Maintaining a list of authorized users.
- Maintaining an account creation and decommissioning process.
- Requiring a username and password for system access.
- Maintaining access control lists.
- Providing privacy and security notices before a user accesses a system.
- Dividing responsibilities and separating duties to eliminate conflicts of interest or the risk of collusion.
- Separating non-privileged accounts from privileged accounts.
- Implementing the principle of least privilege.
- Requiring a “need-to-know” prior to granting access to a system or data.
- Limiting the use of portable storage devices such as USB thumb drives.
- Limiting logon attempts after multiple failed attempts.
- Requiring user authentication prior to gaining network access.
- Ensuring the sensitive information is not posted to publically accessible locations.
Access control is the process of granting or denying requests to use information (both in digital & non-digital form), to use information processing services such as computer systems, and to enter company facilities.
The three key principles of access control are proving a “need-to-know” prior to gaining access, proving “least privilege” when granting a user access to a resource, and implementing the separation of duties to reduce conflicts of interest or collusion.
CMMC requires that companies establish system access requirements, control internal and remote system access as well as limit user access to data.