Manage Access Control Playbook

Edit this page

Step 3 - Define Access Control Requirements

Define your agencies access control requirements so that you can decide on access control model(s) and supporting enablers that fit your agency’s needs. Successful completion of this step will ensure that your agency has a clear vision of the tools and capabilities necessary to support access management.

Checklist

 Conduct an inventory. Create an inventory of all physical and logical resources (e.g., people, hardware, systems) that need to be accounted for, managed, and protected across the enterprise.

 Analyze resource capabilities. This will help implementers identify which access control model(s) and supporting enablers should be considered as viable options for protecting the resource.

 Analyze your user population. Perform a thorough analysis of your user population for each resource. Information about your known users provides you the flexibility to use any of the access control models, while allowing other factors (e.g., risk, resource capabilities, enablers, and tools and technologies requirements) to determine your access control measure(s).

The requirements you develop from analyzing your agency’s user population and the resource risk assessment can serve as the core factors you consider when selecting and implementing access control measures and supporting enablers across the enterprise.

 Analyze data elements. You should perform an analysis of the data used during policy execution. Specifically, you want to determine:

  • data type and quality,
  • stored location and availability, and
  • retrieval method

The results from your analysis will create requirements that help you better identify and manage appropriate data elements to grant access to a subject during policy execution.

 Analyze existing tools and technologies. Analyze your tools and technologies currently implemented to create requirements that can help determine if your current assets address the security, access control, and data requirements identified during requirements planning. If they do not address these requirements then new tools and technologies need to be procured or developed.

 Define Privacy Requirements. Assess whether existing privacy and data protection requirements/guidelines are sufficient for Logical Access Control System (LACS) automation and data sharing or if additional privacy requirements are needed.