Again, access control can be broken down into three broad categories of controls. Administrative, Physical, and Technical. I will elaborate on a couple of methods of each category that I find interesting below.
Administrative
Supervisory structure - Each employee within an organization must report to someone above them, and that superior must be responsible for their employees actions. The idea is that there is a vested interest in employee actions.
Testing - All controls must be tested on a periodic basis to see if they are working the way they should be. Because change is constant in technology, it is a must to test regularly. Management should be responsible for this and make sure it is done properly.
Physical
Network segregation - Only allowing certain individuals the ability to gain physical access to certain parts of the system. For example only network admins should be allowed access to networking hardware and others should only have physical access to their workstations.
Cabling - All cables should be out of the way so that they are not exposed to potential danger. Also. protective sheaths should be used to deter electrical interference.
Technical
Network Architecture - Should be segregated physically and logically. Physically by walls and location of hardware and logically by controlling communication in segments.
Auditing - Tracks network activity on devices. Used to inform the administrator of any fishy activity that might be going on within the network.
No comments:
Post a Comment