NISTIR 7316, Assessment of Access Control Systems, explains some of the commonly used access control policies, models and mechanisms available in information technology systems.Īs systems grow in size and complexity, access control is a special concern for systems that are distributed across multiple computers. Security models are formal presentations of the security policy enforced by the system, and are useful for proving theoretical limitations of a system. Rather than attempting to evaluate and analyze access control systems exclusively at the mechanism level, security models are usually written to describe the security properties of an access control system. Access control models bridge the gap in abstraction between policy and mechanism. Access Control List is a familiar example. At a high level, access control policies are enforced through a mechanism that translates a user’s access request, often in terms of a structure that a system provides. For instance, policies may pertain to resource usage within or across organizational units or may be based on need-to-know, competence, authority, obligation, or conflict-of-interest factors. Access control policies are high-level requirements that specify how access is managed and who may access information under what circumstances. Organizations planning to implement an access control system should consider three abstractions: access control policies, models, and mechanisms. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the clearance level of the user accessing those documents. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some systems, complete access is granted after s successful authentication of the user, but most systems require more sophisticated and complex control. Access control is concerned with determining the allowed activities of legitimate users, mediating every attempt by a user to access a resource in the system. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access (authorization) control.
Adequate security of information and information systems is a fundamental management responsibility.
0 kommentar(er)
