Access Control Types – Administrative Control
9/06/2012 Article
Alternatively, it’s possible to group Access Controls into implementation types. Those three types are:
- Administrative Controls
- Technical (Logical) Controls
- Physical Controls.
Administrative Controls and Technical Controls can be further broken down into sub-types. This article goes into more depth about Administrative Controls.
What are Administrative Controls?
Administrative Controls encompass everything to do with its planning, documentation and daily maintenance and has 6 sub-types:
Operational policies and procedures
This includes Change Control, Business Continuity and Disaster Recovery planning. Ensuring the performance of any access control is adequate, organisation wide configuration management and the planning that requires therein. Vulnerability and patch management, equipment replacement and the security vetting of the new devices and network management.
Personnel security, personnel evaluation and personnel clearances
Personnel security is about the access each user and each user group has to a resource and whether they have a legitimate on-going requirement. Coupled with this is the evaluation of the individual and their claim to an identity and personal traits. Should a positive confirmation that this person is who they claim to be what are the implications of this to their likelihood of theft, fraud, error etc. Consider personal or financial problems, mental illness (think stress or depression).
Security Policies
More or less what it says on the tin – who has access to what and the various notes that go with (for what purpose, regulations, contractual obligations, organisational hierarchy, who manages the security policy)
Monitoring
This is another as it says on the tin. Noting a few minor points, log as much is as feasible including the status of the access control itself not just the access attempts against it. Keep the logs secure – to be used as evidence they must hold their integrity, they may contain sensitive information so must remain confidential and if they were deleted they would no longer be available for analysis. Consider separation of duties for log reviews – the sys admin should not review logs for a system they operate or maintain.
User management
This covers all things user and the appropriate procedures where applicable. Events such as the creation and deletion of their account, the change of job role or title. Understanding and acceptance of Acceptable Use Policies and other agreements. Procedures for dealing with unauthorised access attempts by users. Password policies and other access granting media (tokens, fingerprints etc).
Privilege management
Privilege management is an extension of user management. This is separated because many organisations, particularly small businesses, won’t bother with anything other than identifying users and authorising them onto the systems.
Privilege management is far more granular and states that users of each job role should only have access to the resources that they need to fulfil their tasks.
It comes back to that user (and group) <-> resource relationship again. It is worth keeping in mind that like firewalls (I.E. IPTables), the order that rules are applied and the order of precedence is important to understand for each system.
For example, should a user be in two groups? One group with an explicit allow permission to a resource. The other group with an explicit deny permission to the same resource, which one wins out?
Learn how YGHT can help you improve your cybersecurity
