Free Research Paper About Cissp Domain – Access Control

<INSTRUCTOR’S NAME>
<COURSE NAME>

Certified Information Systems Security Professional (CISSP) is an internationally known information security related certification that explains the best practices and generally accepted security procedures around the world. CISSP has ten relevant security domains, and this research will focus one of its domains known as Access Control.
Access Control is the primary security domain of CISSP that manages how critical organizational application resources remain protect against illegal access, modification and disclosure. This domain predominantly tackles the mechanisms on how granting and revoking of rights to retrieve data within a system or operate an action on an information system. Understanding the process of access control will allow an organization to identify which user can access or retrieve confined within an information system. Management can also specify what specific resources they can retrieve as well as the type of operation a user can execute. Defining this access control allows the management to place an individual with accountability with regard to the resources of the organization.
Granting of access rights will range from file permissions, program permissions as well as data rights. File permissions include create, edit, delete or read within a file server, whereas, program permission refers to the authority to execute or run a program within an application server. Meanwhile, data right includes the right or authority to update or access information in a database. The management must take into account the principles of access control prior to security implementation. These principles include the least privilege and the separation of duties. The least privilege policy restrains both the user of the system and its related processes to retrieve only those data required to execute an assigned function. An example of this is when an employee with a back-up privilege can only execute back-up applications and not permitted to install software because that is beyond his assigned function. On the other hand, the principle of separation of duties emphasize that the execution of different steps of a process rely on distinct users . Management should explicitly define the separation of duties in order to prevent conflict of interest, experience error, abuse and fraud. These principles should remain implemented within every information system, personnel, facilities and support systems of an organization. Apart from this, it is necessary for an organization to categorize the security controls. Its categories can either relate to administrative or management controls, physical or operational controls and technical controls. Management controls refer to standards, guidelines or policies. Operation controls refer to how the execution of the policies, whereas, technical controls refer to access controls, confidentiality and authorization .
In case of new information system related projects, it is critical that security considerations for access control are part of each phase. During the initiation phase, apart from identifying the information resources, it is necessary that there are a clear and defined security policies, guidelines and standards. Categorization for information security as well as protection level should also remain documented. During the development or acquisition phase, management should emphasize their security requirements as well as controls for security. The security team must develop an appropriate security test scripts, scenarios and cases as well as evaluation for validation of the defined security controls. The project team must ensure that there is an accurate implementation of security controls and acquire security accreditation. As part of the maintenance phase, there should have a scheduled periodic security evaluation .

Works Cited

Sandhu, R. and P. Samarati. "Access Control: Principles and Practice." IEEE Communications Magazine (n.d.): 40-48. Document.
Srinivasan, M. CISSP in 21 Days. Packt Publishing, 2009. Book.
Zheng, J. and Q. Zhang. "Dynamic Role-Based Access Control Model." Journal of Software, vol.6, no.6 (2001): 1096-1102. Document.