Definition: Access control refers to how individuals are restricted from entering computers and networks. Controlling access requires taht a detailed specification has been made, based on information security policies, as to who has the right to gain physical and logical proximity to information resources and to read or modify information assets. Further, the phrase, "Access Control" relates to the steps that have been taken to implement security policies on a "need to know" basis. For example, one example would be a policy that requires the locking of the room in which key network resources are located. Establishing and applying deliberate and highly detailed (granular) security policies within the network’s operating system is another. Following through upon the security best practice of “least privileges” limits who can legitimately use components of the information infrastructure.
Its Relevance: The larger the number of people who can retrieve and work with information assets the greater the security risk. Individuals who are without either a “need-to-know” or a need to work with specific information resources should be denied the ability to obtain them. Comprehensive access controls on an information infrastructure are considered to be a security best practice.
Trend: Controlling who can use information assets is becoming more technical and granular. Biometrics are increasingly being used to authenticate users and privileges are being granted less freely. Businesses are now requiring the use of more complex passwords and phrases. The emergence of mobile computing and portable BYOD (Bring Your own Device) is pushing out the limits of the security perimeter. More attention is being given to who can see and use information resources.