Sample Case Study on Information Security Domains; (D1) Access Control

Information Security Domains; (D1) Access Control

Information security has been a concern of most organizations around the world. Many organizations have experienced serious cases of security breaches that mainly target their information. This type of attack on an organization’s information may lead to unauthorized sharing (leaking) of information, inability to access information by the members of the organization because a malicious user has blocked them, and stealing of organizational data. This paper is an analysis of different information objectives found in many healthcare facilities. The paper also looks at how these objectives may be used to ensure information security in such organizations. The objectives chosen for this paper include access controls, components, and levels of access controls, types of security controls, and purpose of information management in a health care organization.

Access Controls, Components, and Levels of Access Controls

Access controls refer to the strategies put in place by an organization to regulate the ease of availability of information to people in an out of the firm. The main aim of any access control process in a health organization is to control the availability, confidentiality, and integrity of data within the firm (Krause & Tipton, n.d.)). The use of access control measures means that the company want the data to be available only to authorized persons and that the data should be protected from viewing. Access control strategies also ensure that data is highly secured but readily available and should only be retrieved at the same point where it should be.

Components of access control include thorough identification, authentication, authorization, and accountability. These components ensure that before any data is retrieved, the firm must start by first identifying the user. It follows by authenticating the users through verifying their identity (Rothke, B. n.d.)). After the administrators have authenticated the user’s identification, and after ascertaining the success of these two steps, the authorization components of the system checks the levels of information that the user (s) is allowed to access and the task they are allowed to execute.

They permit the user or users to continue with the process of accessing data. The accountability part of the access control proceeds to monitor the activities performed by the authorized user by checking all the operations and files visited by this individual. This means that if need be, the users will be held accountable for anything that goes wrong or right with the information that he or she accessed (Rothke, B. n.d.)). There are various levels of access control process in an organization and they include administrative, users, or gusts levels.

Types of Security Controls

Security control can be classified as physical, administrative or technical. These three types of information security controls are further divided into preventive, detective, deterrent, corrective, and recovery processes (Krause & Tipton, 2006). Preventive controls of information security system aim to prevent the occurrence of unwanted activities, such as hacking within or outside the firm. Detective controls work by identifying unauthorized events after they have occurred, for example, identifying the source of a security breach on existing data. Deterrent access control strategies are intended to discourage people from deliberately violating information security rules and processes. Either corrective controls can function by correcting the circumstances that permitted the unauthorized activity or they can work by keeping conditions to how they were before the unauthorized activity occurred (Krause & Tipton, 2006).

Purpose of Information Management

Information security management refers to the individuals as well as the strategies for ensuring that any data found within an organization is secure. The management of information security in a firm involves shareholders, board of directors, managers at different levels as well as employees. The main function of managing information is to ensure that the data from a given company is available only to authorized users within the firm (Krause & Tipton, 2006). It is important to note that any organization is made up of different departments, which are run by people of various levels of understanding. This fact also means that data from one department should not be accessed by employees from a different department. Hence, information management ensures that data is only available to those who are authorized to use it. The other purpose of information management is to ensure the integrity of the data kept in the firm. Making sure that the data found there is credible also makes the same data reliable. It is also important to thoroughly manage information as it makes operations within the firm easier (Krause & Tipton, 2006).


Information security is an important factor to consider in any firm. Research has shown that many firms can provide credible amounts of information but that does not mean that their data is secure. All companies must use access control steps, such as identification, authentication, authorization, and accountability to secure their information. They also need to employ security control strategies, such as corrective, deterrent, preventive, detective, and recovery to ensure that data found in their department are safe and secure but are readily availabl


Krause, M., & Tipton, H. F. (2006). Information security management handbook, fifth edition, volume 3. New York, NY: CRC Press

Krause, M., & Tipton, H. F. (n.d.). Domain-1: Access Control. Handbook of Information Security Management. CISSP Open Study Guide Web Site. Retrieved on December 6, 2014 from

Rothke, B. (n.d.). Access Control Systems and Methodologies. New York Metro eSecurity Solutions Group. Retrieved on December 6, 2014 from