Access Controls

Access controls determine the authorized activities of legitimate users, while mediating users’ access to system resources. Access controls ensure that data are being used by the appropriate people in the correct roles in particular contexts. For instance, IT infrastructures employ access control systems at a number of levels. Operating systems also rely on access controls to protect directories or files. As a result of regulatory compliance, there has been a noticeable push for controls in the IT industry. This article looks at basic concepts around access controls.

Preventative, Detective & Corrective Controls

Controls function as safety valves which prevent accidental disclosure of information. They may take the form of human processes, automated processes, or human work flows that are aided by technology. Controls may be physical, technical or administrative and are grouped into three main categories of controls: preventive, detective and corrective.

Preventive controls are implemented in order to avoid unwanted situations. They prevent errors or irregularities from happening. Examples of preventative controls include:

  • Access Control Software: this controls data and program sharing between users. It controls access to a system by allowing access only to registered users with the appropriate ID and password. After users have logged on, the control software manages access to data and programs in the system.
  • Anti-Virus Software: this software identifies, detects, isolates and removes viruses. This should be kept active on a system to ensure continual detection and interception of new viruses.
  • Policies/Procedures: to identify the ways in which processes must be performed. This must go hand in hand with training, detective controls and audits.
  • System Design: appropriate system design enables controls to be more effective. System engineering with an eye to the control requirements can result in a better system.
  • Standards: using standards as sources of process information can help to prevent problems from occurring. Standards may be drawn from the BSI (British Standards Institute), NIST (US National Institute of Standards), or the ISO (International Standards Organization), among others.
  • Passwords: this is combined with an ID to verify the identity of users. Password-ID log-on also ensures that users are accountable for their actions within the system. There are a number of different types of passwords, including fixed, dynamic and one-time passwords.
  • Smart Cards: these contain chips that can be read by remote terminals. Smart cards specify user’s authorization and privileges in the system. These are often combined with another form of identity authentication (e.g. password, PIN number, biometrics) before the user can be allowed access to the system.
  • Encryption: this protects data from unintended discloser when it is transmitted through the network. The process of encryption changes readable data, or plain text, into unreadable data, or ciphertext. Data can be encrypted through hardware or software.
  • Access Systems: for instance, preventing access to a specific port or service that is vulnerable to exploitation.

However, preventative controls are insufficient, as policies, standards and procedures are often misinterpreted or ignored for a number of reasons. This is why other types of controls are necessary.

Detective controls spot errors or irregularities that may have taken place. Although detective controls cannot stop unauthorized access to data, they can send alerts to monitoring parties when unintended events take place. Some examples of detective controls include:

  • Audit Trails: record system activities in order to reconstruct and examine events, produce violation reports.
  • Intrusion Detection: track users during usage of the system to ensure activities are authorized. Useful in situations where intruders are using authorized accounts, or when legitimate users are engaged in unauthorized activities.

Corrective controls are implemented to correct errors or irregularities that have been detected. Such controls correct the circumstances that allowed unauthorized activity to take place, or they restore the system’s original conditions. Corrective controls may make changes to existing physical, technical or administrative controls. Examples of this type of control include backup configuration files, hard drive images and response plans for specific incidents.

What do they do?

Access controls can help to maintain the CIA triad (confidentiality, integrity, availability) in information system security. The triad represents the core principles of the information security field.

Confidentiality in a system indicates that the privacy of individuals is protected and that information is not disclosed to unauthorized users. A strong access control system can ensure that information is accessed through a case-by-case basis, ensuring that the information is kept confidential and preventing exposure to unauthorized individuals.

Controls can also maintain the integrity of information, meaning that the data are safeguarded from modification without authorization. Strong access controls protect data integrity in the following ways:

  1. Protect data from accidental modification – ensure that data cannot be easily edited or modified
  2. Protect data from deliberate modification – control access to sensitive information, preventing deliberate or malicious changes to data
  3. Maintain external database consistency – compare external data with local data to check for inconsistencies
  4. Maintain internal database consistency – compare local data with external data to check for inconsistencies

Finally, control systems allow authorized users to access the minimum data required to complete their tasks. This ensures that the element of availability is protected. Availability not only ensures that data are available, but also that the necessary procedures required to access that data is reasonable for users.

Types of Controls

Control strategies must be designed to address risks that have been identified as unacceptable. The design of control systems and strategies must take into account threats, vulnerabilities and risks that may potentially be faced by the system or network.

The control system design process also takes into account three layers of controls: policies, models and mechanisms. These three layers are discussed below:

  1. Access control policies refer to how access can be managed; who is authorized to access the information; and under which circumstances the information can be accessed. Policies may be based on resource use, competence, obligation, need-to-know or conflict-of-interest factors.
  2. Models describe the security policy of the system. As such, models can help identify theoretical vulnerabilities and limitations of a system. Models can connect policy and mechanisms.
  3. Control policies are manifested through a mechanism that carries out a user’s request. The mechanism functions within the structure defined by the system. Mechanisms may or may not be direct implementations of control policy.

Controls also function at a number of different levels in a system, from the hardware, to the operating system, to the middleware, to the application. At the hardware level, access controls are provided by the processor, which controls which information a process can access. The middleware level creates resources (e.g. files, communications ports) and has the responsibility for allowing or limiting access to these resources. Applications enforce a number of different protection properties and may be written on top of the middleware. Finally, at the application level, the user may interact with a rich, complex security policy. Preventative, detective and corrective controls appear at each level of the system and build upon each other to mitigate and manage risks.


Access controls may be comprised of processes, tools and people and are necessary for ensuring the confidentiality, integrity and availability of information. The article looks at the three main categories of access controls: preventative, detective and corrective. It defines each category of control, provides examples and discusses the ways in which these controls function to uphold the CIA triad for information security. Finally, the article looks at the ways in which the controls operate and interact at different levels of the system.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

  • Access controls: preventative, corrective, detective (II.B.c.ii.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>