(15)List down some of the logical access controls?



Answer: Following are the some of the logical access controls:


(1)User Access Management:
(i)User Registration:
  • User registration process includes some questions like who has authorized the access, has the data owner approved the access and other relevant aspects. 
  • The de-registration process is also equally important.
(ii)User password management:
  • Passwords management includes allocations, storage, revocation, and reissue of passwords.
  • User awareness about password safety is also a critical function. 
(iii)Review of user access rights:
  • Periodic review of user’s need for accessing information is required.
  • In case of change of responsibilities, access rights should be provided as per current requirement. 

(iv)Privilege management:

  • Access to be given solely on the basis of job requirements. 
  •  For example, employee of the operations department should not have access to application development procedure.

(2)User Responsibilities:

(i)Password use:  
  • Strong password policy is required to maintain confidentiality.
(ii)Unattended user equipment: 
  • Users should ensure that all information assets should be secured and protected. 
  • They should also secure their PCs with a password, and should not leave it accessible to others.
(3)Network Access Control:


(i)Network Policy:

  • Network usage policy applicable to internet service should be available.
  • Selection of appropriate services and approval to access them should be part of this policy

(ii)Network Segregation:

  • Based on the sensitive information handling function, internal network (Intranet) should be isolated from external network (internet).                                             

(iii)Network Security:

  • The techniques of authentication and authorization policy should be implemented across the organization’s network.

(iv)Network connection and routing control: 

  • The traffic between networks should be restricted based on identification of source and authentication access policies. 

(v)Enforced path:

  • Based on risk assessment, appropriate network controls should be in place e.g., internet access by employees will be routed through a firewall and proxy.

(vi)Firewall:

  • A Firewall is a system that enforces access control between two networks. Firewall rules to be defined to protect the sensitive information.

(vii)Encryption:

  •  Encryption is the conversion of data into a secret code so no one can read or understand the data.  
  • Two general approaches are used for encryption viz. private key and public key encryption. 

(viii)Call Back Devices:

  • The call- back device requires the user to enter a password and then the system disconnects the connection.
  • If the caller is authorized, the call back device dials the caller’s number to establish a new connection.
  • This helps to avoid the call forwarding and man-in-the middle attack
(4)Operating System Access Control:

(i)Terminal identification:
  • This will ensure that only approved terminal can initiate a specified session.
(ii)Terminal log-in procedures:
  • A log-in procedure prevents unauthorized access to the system. 
  • When the user initiates the log-on process by entering user-id and password, the system compares the ID and password to a database of valid users and accordingly authorizes the log-in. 
(iii)Terminal time out:
  • Control should be implemented to log out the user if the terminal is inactive for a defined period. 
(iv)Terminal - Connection time:
  • Define the availability of the system. No transactions to be allowed beyond this time. For example, no computer access before or after office hours or on a Saturday or Sunday.
(v)Access Token:
  • On successful logon, the operating system creates access token containing key information about the user like user-id, password, user group and rights granted to the user. 
  • This will help to control actions performed by user.
(vi)Access Control List:
  • Access Control list contains details about access rights available with all users.
  • When a user attempts to access a resource, the system compasses his or her user-id and privileges contained in the access token with those contained in the access control list. Access is granted only to authorised users. 
(vii)Discretionary Access Control: 
  • In distributed systems, resources may be controlled by the end-user.
  • Resource owners grant access privileges to other users. 
  • For example, the controller who is owner of the general ledger grants read only privilege to the marketing department while collection manager is granted both read and write permission to the ledger.
(viii)Password management system: 
  • An operating system could enforce selection of strong password.
  • Password file should be properly controlled and should not be accessible to users.
(ix)User identification and authentication:
  • For user authentication, stringent methods like Biometric Authentication or Cryptographic means like Digital Certificates should be employed.
(x)Use of system utilities: 
  • System utilities are the programs that help to manage critical functions of the operating system e.g. addition or deletion of users. 
  • Use and access to these utilities should be strictly controlled and logged.
(xi)Duress alarm to safeguard users:
  • If users are forced to execute some instruction under threat, the system should provide a means to alert the authorities.

(5)Application and Monitoring System Access Control:

(i)Information access restriction:
  • Only authorized person should have access to data or applications. 
  • Controls are implemented on the access rights of users. For example - read, write, delete, and execute.
(ii)Sensitive system isolation:
  •  Sensitive systems should be placed in an isolated environment. 
(iii)Event logging:
  •  All system access should be recorded in a transaction log.
  • The log should be reviewed at regular interval. 
(iv)Monitor system use:
  • Constant monitoring of critical systems is essential.
  • Details about transactions to be monitored should be clearly defined. 
(v)Clock synchronization:
  • It is to be ensured that clock timing should be synchronized for all the devices in the network.  This will help in analyzing the events. 
(6)Mobile Computing: 
  • Mobile devices carry high risk of data theft. It is important to have both physical and logical access to these systems.
  • Information is to be encrypted and access identifications like fingerprint, eye-iris, and smart cards are necessary security features.