Cybersecurity Families and Controls
Part 1 – Access Control
AND
Part 2 – Maintenance
1

Access Control

According to Microsoft, Access Control is defined as:
“…an essential element of security that determines who is allowed to access certain data,
apps, and resources—and in what circumstances. Access control policies protect digital
spaces. Access control lets the right people in and keeps the wrong people out. Access
control policies rely heavily on techniques like authentication and authorization, which allow
organizations to explicitly verify both that users are who they say they are and that these
users are granted the appropriate level of access based on context such as device, location,
role, and much more.
Access control keeps confidential information—such as customer data and intellectual
property—from being stolen by bad actors or other unauthorized users. It also reduces the
risk of data exfiltration by employees and keeps web-based threats at bay. Rather than
manage permissions manually, most security-driven organizations lean on identity and
access management solutions to implement access control policies.
What is Meant by the Term Access Control?

Access Control is one of the most critical control families because it ensures all of your IT
systems have adequate protection surrounding access to that information system.
Unauthorized system access always precedes cyber incidents so making a solid security
posture regarding access controls a must.
The Access Control family itself is geared toward ensuring a system’s technical security
implementations meet a minimum best practice standard for operation and certifies your
network has access and account management practices in place to manage access
provisioning and user account controls appropriately.
Sufficiently meeting each of the controls listed in the Access Control family shows any
auditor or inspector that your network identifies and authorizes legitimate users of the
system while protecting against unauthorized access and system compromise.
Access control is important because it minimizes company risk, but it can also be a big part
of regulatory compliance. Meeting your company’s compliance needs is a significant factor
in choosing an access control system.
Why is Access Control Important?

Here is a full listing of controls inside of the “Access Control” control family:
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
AC-2 ACCOUNT MANAGEMENT
AC-3 ACCESS ENFORCEMENT
AC-4 INFORMATION FLOW ENFORCEMENT
AC-5 SEPARATION OF DUTIES
AC-6 LEAST PRIVILEGE
AC-7 UNSUCCESSFUL LOGON ATTEMPTS
AC-8 SYSTEM USE NOTIFICATION
What Controls are Part of the Access Control Family?
1 of 3

Here is a full listing of controls inside of the “Access Control” control family:
AC-9 PREVIOUS LOGON (ACCESS) NOTIFICATION
AC-10 CONCURRENT SESSION CONTROL
AC-11 SESSION LOCK
AC-12 SESSION TERMINATION
AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION
AC-16 SECURITY ATTRIBUTES
AC-17 REMOTE ACCESS
AC-18 WIRELESS ACCESS
What Controls are Part of the Access Control Family?
2 of 3

Here is a full listing of controls inside of the “Access Control” control family:
AC-19 ACCESS CONTROL FOR MOBILE DEVICES
AC-20 USE OF EXTERNAL INFORMATION SYSTEMS
AC-21 INFORMATION SHARING
AC-22 PUBLICLY ACCESSIBLE CONTENT
AC-23 DATA MINING PROTECTION
AC-24 ACCESS CONTROL DECISIONS
AC-25 REFERENCE MONITOR
NOTE: In NIST SP 800-53 Rev. 5, AC13-SUPERVISION AND REVIEW, and AC15-AUTOMATED MARKING were incorporated
into other controls.
What Controls are Part of the Access Control Family?
3 of 3

Role-Based Access Control (RBAC)
Role-based access control attributes permissions to a user based on their
roles/duties/business responsibilities. As the most common access control system,
RBAC determines access based on your role in the company—ensuring lower-level
employees aren’t gaining access to high-level information unnecessarily.
Mandatory Access Control (MAC)
Mandatory access control is the most secure type of access control. Only owners
and custodians have access to the systems. All the access control settings are
preset by the system administrator and can’t be changed or removed without his or
her permission.
What are the Most Common
Types of Access Control Systems?

Discretionary Access Control (DAC)
With a discretionary access control, the data owner of the company can decide how
many people have access to a specific location. Each access control point has a list
of authorized users. Every time a keycard is swiped, a PIN is punched, or a
fingerprint is scanned, the system checks the credential against the list and either
allows or denies access based on the previously set allowances.
Rule-Based Access Control (RBAC)
Not to be confused with the other “RBAC,” rule-based access control is commonly
used as an add-on to the other types of access control. In addition to whatever type
of access control you choose, rule-based access control can change the
permissions based on a specific set of rules created by the administrator.
What are the Most Common
Types of Access Control Systems?

Choosing the type of access control system that is most suitable for your
organization, there are a number of factors involved. Some of those factors include
the nature of your business, security procedures within the organization, and the
number of users on the system.
Places of business with small or basic applications will probably find Discretionary
Access Control to be less complicated and better utilized. If, however, you have
highly confidential or sensitive information on your business platform, a Managed
Access or Role-Based Access Control system are two options you may want to
consider.
How to Choose the Correct Access
Control System for Your Business?

Develop an Access Control Policy - It’s prudent to begin by developing access
control policies to manage everyone using business facilities and systems. Start by
collecting data on human behavior at work and the facilities they frequently access.
It will form a baseline to launch the access control program.
Establish Layered Defenses - The underlying technology in access control devices
can easily be cracked and expose your organization. It is a best business practice to
add more security layers to handle breach attempts in access control systems.
Integrate Access Control Into Internal Management Systems - Businesses that use
different technologies to support their operations are prone to internal and external
breaches. To mitigate these threats, another best practice to implement is to
integrate access control to consolidate systems functions and monitor real-time
activities within your network.
Tip and Best Practices to Support
Your Access Control Implementation
1 of 3

Centralize Access Control Management - Centralization of access control allows you
to design a security layout for your Enterprise. It’s one way to pinpoint potential
risks and create countermeasures to mitigate your exposure. Also, it works as a data
collection point for your business, which can be helpful for decision-making
purposes.
Training And Development - Technology is forever evolving and users must keep up
with the frequent changes. So as a best practice you should periodically conduct
training and development for your staff to enhance security in your business
processes.
Frequently Audit And Upgrade Access Control Software - It’s crucial to audit your
access control management and continuously improve the infrastructure. You might
spot gaps in your systems that make you vulnerable to attacks. You should retire
obsolete access control technology and replace it with a new and improved one.
Tip and Best Practices to Support
Your Access Control Implementation
2 of 3

Protect Passwords - Your organization should have management tiers with designated
authority to access business information. Authorized personnel should use or have
unique credentials and passwords to access your systems and must protect them at all
costs.
Block and/or Delete Invalid and Dormant Accounts - Labor turnover and changes in roles
happen all the time in business. Retaining such user accounts is risky and may lead to
security breaches in your network. Blocking or deleting unused accounts within your IT
backup systems is crucial.
In summary, Access Control (AC) is one way to insulate your business from potential
breaches or electronic attacks. It is a multi-functional tool to manage people and monitor
activities within your organization. Installing AC systems requires an analytical review of
your business operations and the exposure risks you face in the digital age. AC systems
help you develop measures such as user policies incorporating best practices to access
control.
Tip and Best Practices to Support
Your Access Control Implementation
3 of 3

Information Technology Maintenance

Like all electronic devices (from a car to a dishwasher), in order to function properly,
computers need maintenance. And based on its importance and complexity, computer
equipment maintenance requires special attention.
When approaching the different types of IT maintenance, two aspects must be considered:
1) The term “maintenance” includes both hardware and software of the computer. Both are
very important and will decisively influence the operation of the system.
2) Various types of maintenance can work simultaneously. In the case of corrective
maintenance, it will act if the predictive maintenance or preventive maintenance are not
able to anticipate the problem.
What is Meant by the Term IT Maintenance?

Early Detection of Issues - Maintenance checks and regular upkeep helps detect issues early
and pinpoint the potential threats to the IT network, computers, and servers. When it comes
to computer systems, even the smallest system issues could leave the door open for
breaches and bigger potential faults. Regular maintenance can point out these small IT
system problems and eradicate them before they get out of control.
Viruses and Malware Prevention - There are numerous types of malware out there just
waiting to infect systems and cause security and confidentiality issues, data leakage and
system crashes. Preventing cyberattacks is tricky because each attack and malware is
different. Therefore, it is extremely important to protect the corporate network instead of
waiting around to deal with consequences.
Faster Loading Times - System maintenance is a great way to speed up all your IT systems
and computers and improve processing times. IT maintenance services can identify issues to
help optimize system performance so your devices load faster. This includes fragmenting
computer files, removing malicious code, updating outdated software, patching security
gaps, etc.
Why is Maintenance Important?
1 of 2

Maximize Software Efficiency - Includes installment of software updates to their latest
version and installment of new patches, whenever such are available. Cyber criminals are
always targeting system and software weaknesses. A good IT maintenance program provides
updates for each software package during regular maintenance. This practice helps your
software programs run at their best.
Prevent Data Loss - No matter if you work with lots of files, personal info, or/and sensitive
information, no organization is safe from data loss. Data loss is typically caused by a system
reboot, malware, viruses, or hacker attacks. Regular computer maintenance lowers the risks
by ensuring all network systems are checked and all firewalls, antivirus software, and
computer applications are working as expected.
Documenting IT Concerns - Keeping track of past, potential and ongoing issues is very
important. Effective IT maintenance programs mandate the documentation of even minor
system malfunctions, server outages, and potential threats to the computer system.
Documenting preventive maintenance and analyzing network architecture is a game-changer.
Having every technical aspect of your business monitored is a superb way to keep work
computers and technology at their optimal condition.
Why is Maintenance Important?
2 of 2

Hardware Maintenance

Preventive Maintenance - Is a very frequent type of maintenance carried out in order to
prevent possible failures and improve the functioning of a system. Preventive Maintenance
can also extend the useful life of the different components of your IT system, and decreases
the number and length of system downtimes. It can reduce the number of repairs and detect
weak points in the system that might affect its operation.
Predictive Maintenance - Is a type of maintenance that is carried out using diagnostic tools,
in order to anticipate possible failures and to try to avoid them before they occur. One of the
most effective ways in which predictive maintenance is carried out is through the monitoring
of computer systems using tools such as monitoring software. This practice helps to control
all different types of variables, such as the temperature of the CPU or battery levels.
What are the Different Types of Maintenance?
1 of 2

Corrective Maintenance - Is a practice that must be applied when the predictive and
preventive maintenance have not worked properly or when these have not been able to avoid
the failure. When a computer or system fails (for example due to a hardware failure) you want
it to be operational again and as quickly and efficiently as possible, the process to do this
will include repairing or replacing the device. One of the considerations to be made regarding
corrective maintenance is to not only solve the failure, but also determine what was the
cause of it in order to find the possible repercussions that may have affected other parts of
the system. You also want to try to prevent it from happening again in the future.
Evolutionary Maintenance – Is a type of maintenance not meant to correct or prevent
possible failures, but to research and evolve your computing resources to the latest
technologies that are available. Technology is always evolving, and that means that the tools
available and the needs of users also change constantly. Evolutionary maintenance helps
ensure computer systems do not become obsolete or updated in order to offer users the best
technology options within your organization.
What are the Different Types of Maintenance?
2 of 2

Software Maintenance

Software Maintenance - is the process of changing, modifying, and updating
software to keep up with customer needs. Software maintenance is done after
the product has launched for several reasons including improving the
software overall, correcting issues or bugs, to boost performance, and more.
It is a natural part of SDLC (software development life cycle). Software
developers don’t have the luxury of launching a product and letting it run,
they constantly need to be on the lookout to both correct and improve their
software to remain competitive and relevant. Using the right software
maintenance techniques and strategies is a critical part of keeping any
software running for a long period of time and keeping customers and users
happy.
What is Software Maintenance?

Software maintenance is needed for several reasons:
1) Correction of ‘Bugs’ - The most important reason to conduct software
maintenance is to correct errors or 'bugs'. It is very important that the
software works without problems. This process contains the search for errors
in the code and their correction.
2) Improving Opportunities for a Changing Environment - This is important
for improving the current functions and for making the system compatible for
changing the environment. It extends the capabilities of programs, work
patterns, hardware upgrades, compilers, and all other aspects that affect the
workflow of the system.
Why is Software Maintenance Important?
1 of 2

3) Remove Obsolete Functions - Functionalities that are no longer used in the
software actually reduce the efficiency of the system. Therefore, the removal
of obsolete functions is necessary. Unused user interface and coding
elements are removed and replaced with new functions using the latest tools
and technologies. This change makes the system adaptive to changing
circumstances.
4) Performance Improvement - Improving system performance in order to
meet new requirements. Data and encoding constraints as well as
reengineering are part of software maintenance. This minimizes the chances
of the software being vulnerable.
Why is Software Maintenance Important?
2 of 2

Corrective Maintenance - Is the typical, classic form of maintenance (for software and
anything else for that matter). Corrective software maintenance is necessary when something
goes wrong in a piece of software including faults and errors. If a company can recognize
and take care of faults before users discover them, this is an added advantage that will make
your company seem more reputable and reliable.
Preventive Maintenance - Is looking into the future so that your software can keep working as
desired for as long as possible. This includes making necessary changes, upgrades,
adaptations and more. Preventative software maintenance may address small issues which
at the given time may lack significance but may turn into larger problems in the future. These
are called latent faults which need to be detected and corrected to make sure that they won’t
turn into effective faults.
What are the Different Types
of Software Maintenance?
1 of 2

Perfective Maintenance - Once the software is released to the public, new issues and ideas
come to the surface. Users may see the need for new features or requirements that they
would like to see in the software to make it the best tool available for their needs. Perfective
software maintenance aims to adjust software by adding new features as necessary and
removing features that are irrelevant or not effective in the given software. This process
keeps software relevant as the market, and user needs, change.
Adaptive Maintenance – Involves the changing technologies as well as policies and rules
regarding your software. These include operating system changes, cloud storage, hardware,
etc. When these changes are performed, your software must adapt in order to properly meet
new requirements and continue to run well.
What are the Different Types
of Software Maintenance?
2 of 2

Questions and Answers