The Access Control Concepts can be categorized in many ways. One such way is to describe them in these three forms: Preventive, Detective and Corrective. Preventive Controls are meant to restrain or hinder harmful occurrences, Detective Controls are designed to discover harmful occurrences and the Corrective Controls are put in place to restore systems that have become victims of harmful attacks.
Two other important control concepts are Separation of Duties and Principle of Least Privilege.
Separation of Duties requires that a process is performed by two or more parties for successful accomplishment. This is common in IT organizations that do not want a single person to whole the complete position to make changes on a system. This is to avoid the chances of one person introducing errors in any manner without being detected.
Principle of Least Privilege is the control concept that defines that the party performing a process should be provided with the minimum resources and privileges. And, to complete the process, the time provided should also be minimum. For example, on a server environment, a user can have different privileges; ie. Administrator, Backup Operators, Remote Users, Power Users, Users, Guests, etc. If a user needs access to perform some backup operations, it is not required that the user is provided with the privilege to create new accounts or make changes to the system. Therefore, the limited privilege as Backup Operators is sufficient to this user. Allowing the user to have more than that may introduce the possibility of the user performing other processes and creating errors.
Control measures in implementations can also be categorized as Administrative Controls, Logical/Technical Controls and Physical Controls.
Examples of Administrative Controls are policies and procedures, security awareness trainings, employee background checks, work habit checks, review of vacation history and increased supervisions.
In Logical or Technical Controls, the restriction of access to systems and the protection of information are implemented by using encryption, smart cards, access control lists and transmission protocols.
Physical Controls are provided by using guards, locking of doors, securing the server rooms and other computing devices, implementing Separation of Duties and performing file backups.
