Access Control
Domain 5 — Protection of Information Assets
Definition
Access control encompasses the policies, procedures, and technical mechanisms that govern who can access what resources, under what conditions, and with what level of privilege. The three primary models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC). IS auditors evaluate access controls through user access reviews, authentication logs, and exception reporting — focusing on whether access aligns with job responsibilities and whether orphaned accounts exist.
Real-World Audit Scenario
During an access control review at a pharmaceutical company, I discovered 47 active user accounts belonging to employees who had left the organisation 3 to 18 months ago. Several had permissions to systems containing clinical trial data subject to FDA 21 CFR Part 11 requirements. The CISO said the HR-to-IT termination notification process had been redesigned and "the issue will not recur." But the accounts were still active. We recommended an immediate deactivation of all orphaned accounts, a quarterly user access certification process, and automated de-provisioning integrated with the HR system.
Common Exam Trap
Absence of observed logon activity on orphaned accounts is not evidence of no unauthorised access — credentials could have been used through other channels. In regulated environments, the existence of orphaned privileged accounts is itself a reportable control failure, independent of activity.
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →