During your first week as an Information Systems Security director, you met with the Chief Information Officer (CIO). During the meeting, he revealed to you his deep concerns regarding the security features that control how users and systems communicate and interact with other systems and resources. The CIO asks you to develop access control in a well-organized and appropriately documented program. The program and measures that your company’s senior managers will implement must be properly designed and put into policy.
One common approach to designing access control is to use categories of access controls to effectively document and communicate policy to the user community. These controls can logically prevent users from violating policy. They can also determine when violations have occurred and take action when violations take place. Finally, these controls can dictate how the organization will return to normal conditions after violations take place.
In section 1, describe the seven primary categories of access controls system options managers may choose to implement. Include a description of each control and explain a situation for when the manager would choose the control for implementation.
The CIO is very concerned about suspicious network activity. In section 2, describe the technical or logical controls managers would implement to detect when suspicious activity occurs on a network and report this to administrators.
Additionally, many senior executives are concerned that the IT systems may not be able to handle incidents. In section 3, describe which access control category you would recommend managers to implement for catastrophic incidents.
In section 4, the access control categories discussed in the previous sections serve to classify different access control methods based on where they fit into the access control time continuum. However, another way to classify and categorize access controls is by their method of implementation. For any of the access control categories, the controls in those categories can be implemented in one of three ways: Administrative, Logical, or Physical. Explain each access control type and provide implementation recommendations for managers.