Control Physical and Logical Access to Assets
Controlling access to assets is one of the central approaches to security. In this section; an asset includes information, systems, devices, and facilities.
An organization’s systems include any IT systems, which provide one or more services. Like a SQL Server, a FTP server, a Domain Controller, a Access Point, a Web server.
An organization’s information includes all of its data. Whether it’s data stored in simple files on servers and computers, or data stored in huge databases on the server farm.
The mechanisms used to control access to information include:
- File and folder level permissions: These permissions are typically managed at the operating system level or within a file sharing system.
- Database table, field, and row permissions: Usually managed within a database management system. These permissions can be granted at various levels.
An organization’s facilities include any physical location that it owns or rents. Controlling access to facilities is accomplished by different means, including:
- Escorts: Visitors with lower security clearances may be escorted by other personnel.
- Fences, walls, and gates
- Guards and guard dogs: Security personnel should be careful that only authorized personnel and the correct escorts are able to enter the building.
- Key card access systems: With optional biometric readers and/or PIN pads, these systems control which persons are permitted to access which buildings and rooms.
- Visitor logs: These logs provide a business record of guests and visitors who enter and leave a facility.
Devices include any communicating system, including servers, desktop computers, portable laptop computers, tablets, smartphones, and external devices such as printers. These devices, store organizational data, so they become asset of the organization.
Today, usernames and passwords, Fingerprints and other biometric systems are used to control access to most devices.