<Author’s Name>
<Institutional Affiliation>
Explain each of these controls of administrative, physical and technical with examples of real-world applications.
There are three categories of access controls. These categories include administrative, physical and technical controls. The top management of an organization normally defines the administrative controls. Administrative controls encompass the policies and procedures, supervisory structures, employee or personnel controls, testing and security-awareness training. An example of administrative control is when management defines and implements security policies for the entire organization, classify information gathered and developed within the company as well as provision for training on how the organization implements security. Physical control work hand-in-hand with the administrative and technical control to provide the right degree of access control . An example of physical control includes defining how personnel interact with the organization’s HR system to edit, view or delete transactions that solely appropriate for them. Technical control includes software tools operated to limit the access to objects by the subject. It includes the form of OS components, security packages, protocols or any hardware devices. Examples of technical controls include implementation of firewalls, audit logs, encryptions as well as alarms and alerts .
Explain each of these access control models with examples of real-world applications.
The different types of access control models include Discretionary Access Control (DAC), Role-based Access Control (RBAC), Mandatory Access Control (MAC) and Rule-based Access Control (RB-RBAC) . DAC is the least restrictive model that permits an individual to accomplish control over any object that they possess along with the applications that go along with the object. An example of this is when an individual wants to share a folder so that a group he defined can access it. With DAC, that individual can identify which employees will have access to a folder, and whatever files that are in the folder, these employees can access and view. RBAC is a model that grants access control based on the position of an individual within an organization . An example of this is that the position of a security manager that already has permissions allocated to it. With RBAC, an employee with this position will have an access to the security manager profile. MAC is an access control that only the custodian management and owner of the organization will have access. No end-users will have access to any settings and configurations as defined in MAC. This access control begins with defining of security labels in the information, such as classification (e.g. confidential, top-secret) or a category (e.g. management or department level). An example of this is that when employee access information, with MAC, the system checks the classification and category to which the employee belongs prior to the execution of the requested control. RB-RBAC grants users with roles based on the policies and criteria defined by the management . An example of this is that a disbursement amounting to $1,000,000 for a transaction must go through the approval process of the Division Director, Director General and the Vice President of an organization.
Provide an example where you could better design computer architecture to secure the computer system with real-world applications. You may use fictitious examples to support your argument.
An organization can better secure their computer system by adopting the Bell-La Padula model. It is a model used in enforcing access control in the government and military applications. This model describes the computer security policy to depict a group of access control rules that uses security clearances for subjects and labels for objects . An example of the application of this model is when the categorization of information in a military set-up includes restricted, confidential, secret or top-secret. This position assignment of this categorization can include the positions lieutenant, colonel, captain, lieutenant general and general.
References
Gentry, S. (2011). Access Controls: Models and Methods. Retrieved from INFOSEC Institute: http://resources.infosecinstitute.com/access-control-models-and-methods/
Osborn, S., Sandhu, R., & Munawer, Q. (2000). Configuring Role-based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security, Vol. 3, No. 2, 85-106.
Rushby, J. (1986, June). The Bell and La Padula Security Model. Retrieved from SRI International: http://www.csl.sri.com/users/rushby/papers/blp86.pdf
The Office of the National Coordinator for Health Information Technology. (2014). Guide to Privacy and Security of Health Information. Retrieved from http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-4.pdf
Weitzner, D., Hendler, J., Berners-Lee, T., & Connolly, D. (2004, September). Creating a Policy-Aware Web: Discretionary, Rule-based Access for the World Wide Web. Retrieved from W3.org: http://www.w3.org/2004/09/Policy-Aware-Web-acl.pdf
