IT Risk Management
Part 1: Access Control Security Models
Access control can be identified as a complex security measure, which aims to control the access of individuals to certain objects and sensitive information. Access control is necessary for implementation of protection of confidentiality, integrity, and access to information, allowing both individuals and groups to reduce the risks and informational threats (Honey, 2000). While there is a broad range of various controls, it is possible to divide the functions and the purposes of methods in several categories, including operational, technical, and management-related methods. The logical or a technical method of access control has proven itself in the management of small to medium IT companies by implementing both hardware and software mechanisms to manage the access to resources and control elements of the system (Benantar, 2006). The examples of such method include encryption controls, smart cards, solutions of biometrics, password encryption, special interfaces, manually managed protocols, enterprise level firewalls, ACLs, and intrusion detection systems, which were especially efficient in my personal experience. An innovative and motivational access method of the management kind was an implementation of Compensation Access Control model. It was vital for the company, as it allowed to provide alternations or various options of enforcement and certain support of existing security policies. One of its core benefits is personnel supervision, control and monitoring of the tasks and routine procedures. Speaking of operational method, there is a useful Administrative Access policy, which basically means overall access control in the organization, controlling all the operations from so called "top point" (Carminati & Ferrari, 2005). Examples of use include analysis of the policies and procedures, practices of hiring, background checks, systematization of information, security training, personnel testing, and overall control. It also allow to control privileges from the head management level and organization's standards. In a certain sense, it is a control of the human factor in relation to access control, which increases social and professional awareness of individuals about risks and consequences of inappropriate attitude in the workplace.
CIA Triad is an essential security principle, which refers to confidentiality, integrity, and availability. Confidentiality is a primary principle, as it allows not to disclose objects and data to unauthorized subjects both in the organization and beyond. Integrity can be identified as a measure that allows information to retain the veracity due to modification by authorized personnel only (Stapleton, 2014). The last part of the triad is Availability, which has to be taken with due care, as it deals with allowing timely access to sensitive information and organization's objects along with provision of a sufficient bandwidth and resources to perform required operations and modifications in the system. As integral as it is, the key to successful management, speaking from my experience, is setting the right priorities and classification of personnel that can access sensitive information in the system. Without a doubt, the manual control of access and identification principles can allow required security level, yet it would never become sufficient without proper social work …