Access control is a gatekeeper function that patrols system access, ensuring
that these myriad holes, these places where violations can take place, remain
safely plugged. It’s rather like the Immigration Department of a company’s
system: providing specific visas for specific stays in the country. Immigration
carefully monitors who does what, separating the short-term holiday-makers
from those who plan to do business in a country. Immigration checks pass-
ports, issues visas for those who need them and visa waivers for those who
don’t and occasionally, refuses entry to someone who they believe may pose
a threat. In this way, they ensure that people enter the country for the right
reasons and have the applicable amount of time in which to have their holi-
day or do their job. By cautiously giving the right people, the right kind of
access, they ensure that no violations occur. So it is with access control.
Of course, employees aren’t actually tourists or business travelers, and happily
the vast majority are trustworthy. But good governance — and auditability —
means that we need to carefully segregate duties. By not properly segregating
duties, companies create opportunities for fraud as well as human error, each
of which leads to revenue loss. This is why companies require a method to
tighten up and organize access to financial systems. But before we take a look
at where we stand today, let’s take a look back and see how we got here.
Getting a Handle on Access Control ..........................................................
Access controlrefers to what a person can do in a computer system or appli-
cation after she has signed on. The sign-on process is referred to as authenti-
cation— proving to the system that you are who you say you are. The most
common form of authentication is password authentication. For the purposes
of this chapter, we assume that authentication is already taken care of. To
sign on, you might have had to do a fingerprint scan, a retinal scan, or simply
type the password that is on a sticky note on your monitor (we hope not!).
Now that you’ve signed on, what can you do? In this chapter, we talk about
the access you and others have to applications, especially financial applica-
tions, after you have signed in or, in other words, after you have successfully
authenticated yourself.
These days, we think of access control in terms of access to computer sys-
tems. But it wasn’t always this way. Access once meant primarily physical
access to buildings and rooms in buildings. You might have seen racks of
keys on a wall (or a picture of such a key rack). Typically one person was in
charge of all the keys and managed them from one office. If you needed
access to a room you didn’t have a key to, you would walk into the room
where that key rack was, talk to the person behind the desk, sign out a key,
116 Part II: Diving into GRC
