Welcome » IT Booklets » Information Security » Security Controls Implementation » Access Control
The goal of access control is to allow access by authorized
individuals and devices and to disallow access to all others.
Authorized individuals may be employees, technology service
provider (TSP) employees, vendors, contractors, customers, or
visitors. Access should be authorized and provided only to
individuals whose identity is established, and their activities
should be limited to the minimum required for business
Authorized devices are those whose placement on the network is
approved in accordance with institution policy. Change controls are
typically used for devices inside the external perimeter, and to
configure institution devices to accept authorized connections from
outside the perimeter.
An effective control mechanism includes numerous controls to
safeguard and limits access to key information system assets at all
layers in the network stack. This section addresses logical
and administrative controls, including access rights administration
for individuals and network access issues. A subsequent section
addresses physical security controls.