• System access granted based on business need.
• Deny all, add back as needed.
• Revoke access promptly when no longer required.
• Layered network security, “defense in depth”: Multiple checkpoints before internal network access is granted.
• Have capability to audit access.
• Establish user accountability.

• Mandatory Access Control (MAC)
• Discretionary Access Control (DAC)
• Role Based Access Control (RBAC)

• Mandatory Access Control

A method that clearly defines an inflexible manner of how information is accessed. In a MAC environment, all access capabilities are predefined. Users do not have the ability to share information that was not established by administrators.

• Discretionary Access Control

Network users have some flexibility regarding how information is accessed. This model allows users to dynamically share information with other users. Risk of unauthorized disclosure is higher than with the MAC model

• Role Based Access Control

Approach the problem of access control based on established roles in an organization. RBAC models implement access by job function or by responsibility. Each employee will have one or more roles that allow access to specific information.