 |
 |
|
Access Controls Access controls are a very important part of not only information security but of IT compliance as well. It is impossible to imagine any type of IT review or audit that does not include access controls in the scope. Access controls can be classified in two different ways: physical access and logical access. Physical Access Physical access controls limit people's physical ability to access data and computing resources. This includes keeping people out of data centers, network closets, power distribution rooms, and other areas where malicious or accidental tampering could result in data loss or unexpected downtime. These areas may be protected by proximitity cards, key pads, physical keys, or a combination of electronic technologies that combines two of these into a more secure method of controlling access. OIT is responsible for controlling physical access to all sensitive areas. For an idea of what a typical physical security review would include, please click here. Logical Access Logical access can be thought of as electronic authentication or access to information systems. If I log in to a machine then I have been granted logical access. There are many elements of logical access that are relevant to audits. Password parameters and standards is probably the most important. A weak password is usually the easiest way to gain unauthorized logical access to a system. There are other ways as well. Someone may try to gain logical access to an information system by connecting through open ports on a given machine. Click here for an idea of what a typical logical security review would include. If you have any specific questions regarding access controls and any compliance issues related to them, please contact Brian Markham at 301-405-1057. |
 |