Access Control

IZAZI MUBAROK, SST., MSc., MCFE, CHFI, CEH, ACE, OFCE, CISA, CDSS, CCO, CCPA
[email protected]

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 1

Outline

• Business requirements of access control

• User access management
• User responsibilities
• System and application access control

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 2

 Business requirements of access control
Objective: To ensure that employees and contractors understand
their responsibilities and are suitable for the roles for which they
are considered

Access to networks and network

Access control policy services
Control Control
• An access control policy should be • Users should only be provided with
established, documented and reviewed access to the network and network
based on business and information services that they have been specifically
security requirements. authorized to use.

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 3

 User access management
Objective: To ensure authorized user access and to prevent
unauthorized access to systems and services.

User registration and User access Management of

de-registration provisioning privileged access rights
Control Control Control
• A formal user registration • A formal user access • The allocation and use of
and de-registration process provisioning process should privileged access rights
should be implemented to be implemented to assign should be restricted and
enable assignment of or revoke access rights for controlled.
access rights. all user types to all systems
and services.

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 4

 User access management
Objective: To ensure authorized user access and to prevent
unauthorized access to systems and services.

Management of secret Review of user access Removal or adjustment

authentication
information of users rights of access rights
Control Control Control
• The allocation of secret • Asset owners should review • The access rights of all
authentication information users’ access rights at employees and external
should be controlled regular intervals. party users to information
through a formal and information processing
management process. facilities should be removed
upon termination of their
employment, contract or
agreement, or adjusted
upon change

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 5

 User responsibilities
Objective: To make users accountable for safeguarding their
authentication information.

Use of secret authentication

information
Control
• Users should be required to follow the
organization’s practices in the use of
secret authentication information.

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 6

 System and application access control
Objective: To prevent unauthorized access to systems and
applications.

Information access Secure log-on Password

restriction procedures management system
Control Control Control
• Access to information and • Where required by the • Password management
application system access control policy, systems should be
functions should be access to systems and interactive and should
restricted in accordance applications should be ensure quality passwords.
with the access control controlled by a secure log-
policy. on procedure..

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 7

 System and application access control
Objective: To prevent unauthorized access to systems and
applications.

Access control to program source

Use of privileged utility programs code
Control Control
• The use of utility programs that might be • Access to program source code should be
capable of overriding system and restricted.
application controls should be restricted
and tightly controlled.

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 8

Implementation guidance?

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 9

Terima kasih

Telkom University | Teknik Komputer | SMKI © Izazi Mubarok 10