Logical Access-Points to Remember





Points to remember for CISA exam-Logical Access Control

(1)In information technology, logical access controls are tools and protocols used for identification, authentication, authorization, and accountability in computer information systems.

(2)There are two main types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.

(3)The four main categories of access control are:

Mandatory access control

Discretionary access control

Role-based access control

Rule-based access control




(4)Mandatory Access Control: Mandatory Access Controls (MACs) are logical access control that cannot be controlled or modified by normal users or data owners.

(5)Discretionary Access Control: Discretionary Access Controls (DACs) are logical access control that may be activated or modified by the data owners at their discretion.

(6)In any given scenario, MACs are better choice in terms of data security as compared to DACs.

(7)In any given scenario, following are the steps for implementing logical access controls:

(a) Inventory of IS resources.

(b) Classification of IS resources.

(d)Grouping/labelling of IS resources.

(c) Creation of an access control list.

(8)In any given scenario, first step in data classification is to identify the owner of the data/application.

(9)In any given scenario, an automated password management tool works as best preventive control and ensures compliance with password management policy.

(10)Please note below access control best practices for wireless security. Invariably 2-3 questions will be there on this concept:

(a)Enable MAC address filtering:

Every Machine (PC/Laptop/Mobiles) has a unique identification number. That is known as Media Access Control (MAC) address. So through this control, you allow access to only selected devices. Any other device trying to access you network will be rejected by your router.

(b)Disable SSID (Service set identifier) broadcasting

A Service Set Identifier (SSID) is the wireless network name broadcast by a router and it is visible for all wireless devices. When a wireless device searches the area for wireless networks it will detect the SSID.

(c)Enable WPA-2 (Wi-Fi protected access) protection:

Encryption helps to scrambles the information we send through wireless network into a code so that it’s difficult for other to access. Using encryption is the effective way to secure your network from intruders.

Two main types of encryption are available for this purpose: Wi-Fi Protected Access (WPA) and Wired Equivalent Privacy (WEP). WPA 2 is the strongest encryption standard for wireless connection as on today.

(11)In any given scenario, preference to be given to preventive controls as compared to detective or deterrent controls.

(12)In any given scenario, preference to be given to automated controls as compared to manual controls.

(13)In any given scenario, default deny access control policy (i.e. deny all traffic except selected ones) is more robust and stringent access control policy as compared to default allow access control policy (i.e. allow all traffic except selected ones)

(14)Prime objective of review of logical access control is to ensure access have been assigned as per organisation’s authorization.