Welcome » IT Booklets » Information Security » Security Controls Implementation » Access Control » Application Access
Sensitive or mission-critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their databases should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.
Some security software programs will integrate access control for the operating system and some applications. Such software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA-ACF2, and CA-TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.
Institution management should consider a number of issues regarding application access control. Many of these issues also could apply to oversight of operating system access: