Compliance Glossary

What is Access Control?

Definition

Access control encompasses the policies, procedures, and technical mechanisms that regulate who can view or use resources within a computing environment. It ensures that only authorized individuals can access specific systems, data, or physical locations based on their role and need.

In Depth

Access control is arguably the most critical security domain across all compliance frameworks because it directly governs the boundary between authorized and unauthorized activity. Modern access control implementations typically combine multiple strategies: identity verification through authentication, permission assignment through authorization, and ongoing validation through periodic access reviews. Technical implementations range from Access Control Lists (ACLs) on file systems to attribute-based access control (ABAC) in cloud environments. Compliance auditors scrutinize access control by examining user provisioning workflows, reviewing access rights for appropriateness, testing segregation of duties, and verifying that terminated employees are promptly deprovisioned. Organizations that automate access control through identity providers and SCIM provisioning find compliance significantly easier to maintain year over year.

Related Frameworks

SOC 2
GDPR
HIPAA
ISO 27001

Related Terms

Role-Based Access Control

Role-Based Access Control (RBAC) is an access management model where permissions are assigned to roles rather than individual users, and users are assigned to roles based on their job functions. This simplifies administration and ensures consistent access provisioning.

Least Privilege

The principle of least privilege dictates that users, systems, and processes should be granted only the minimum level of access necessary to perform their legitimate functions. Access rights should be regularly reviewed and promptly revoked when no longer needed.

Multi-Factor Authentication

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more independent verification factors to access a system. Factors include something you know (password), something you have (security token), and something you are (biometric).

Data Classification

Data classification is the process of categorizing data based on its sensitivity level and the impact of unauthorized disclosure. Common tiers include Public, Internal, Confidential, and Restricted, each with corresponding handling and protection requirements.

Compare FrameworksSolutions by Industry

Generate compliance docs with PoliWriter

Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.

Get Started Free