Access

The control that governs the permission, ability, or right granted to individuals or entities to interact with or obtain entry to a system, resource, or information. It involves the establishment of rules and restrictions to manage and regulate entry, ensuring that only authorized users can use, modify, or retrieve specific assets or data.

Close terminology

Role-Based Access Control (RBAC) - Assigning access based on job roles and responsibilities. Ensuring that individuals have the minimum necessary access to perform their tasks.

Physical Access - Restriction to physical areas within the organization. Access to buildings, offices, and other facilities.

Information Access - Permissions for accessing, using and disseminating information of various confidentiality level - depending on permission.

System Access - Access to computer systems, networks, and servers. User permissions within software applications. Administrative access for system configuration and maintenance.

Data Access - Access to specific databases or data repositories. Permissions to view, modify, or delete specific data sets.

Document Access - Access to organizational documents, files, and information. Version control and permissions for document editing and sharing.

Process Access - Authorization to initiate, modify, or terminate specific business processes. Workflow access for managing and tracking process stages.

Application Access - Access to specific business applications or software tools. Permissions within applications for different user roles.

Network Access - Access to the organization's network infrastructure. VPN access for remote workers.

Audit Trail Access - Access to logs and audit trails for monitoring and tracking changes. Permissions to review and analyze security and activity logs.

Access Governance

The overarching framework for managing and controlling access, including policies, processes , and technologies . Provides a structured approach to aligning access with business requirements , compliance, and security objectives .

Access Attempt

Entering or gaining access to an area, location, system or platform to utilize its resources or services.

Authentication

The process of verifying the identity of an individual or entity attempting to access a system or resource. Ensures that only authorized users are granted access, enhancing security.

Authorization

Granting or denying specific permissions and privileges to authenticated users based on their roles or attributes. Defines the level of access a user has, specifying what actions they are allowed to perform.

Although access management ensures that only authorised persons can access the data in the audited databases, in the case of two databases, the access rights that these persons have are too broad.-If, in the opinion of the [audited entity], it is not possible to organise the access request procedure quickly enough and in the way that the process of assessing the need for assistance requires, other measures must be implemented to prevent and detect misuse of data.
Database access management RKTR - Estonia 2023

Access Control Lists (ACLs)

Lists specifying which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Provides a granular level of control over access permissions for different users or groups.

Role-Based Access Control (RBAC)

Assigning access permissions to users based on their roles within an organization. Simplifies access management by aligning permissions with job responsibilities.

Single Sign-On (SSO)

A method that allows a user to log in once and access multiple systems or applications without re-entering credentials. Enhances user convenience while maintaining security and reducing the need for multiple logins.

Multi-Factor Authentication (MFA)

A security process that requires users to provide multiple forms of identification before granting access. Adds an extra layer of security by validating identity through multiple means, such as passwords, biometrics, or tokens.

Logging

Recording and monitoring access attempts, successful or unsuccessful, for the purpose of auditing and analysis. Up-to-date and properly structured logs enhance security by providing a record of access activities and enabling detection of potential security threats. It is necessary to analyse the log data in order to detect errors or incidents committed in the databases on an ongoing or retrospective basis and to determine the reasons for their occurrence.

Insofar as STAR has not implemented measures necessary for verifying the analysis of logs and the justification of queries, the risk of misuse of data increases. Log data, i.e. information about the events that occurred in the database, were collected and stored in the audited databases, but these logs were not systematically or regularly analysed and the respective obligation was not established in the documents governing the activities of institutions or databases.
Database access management RKTR - Estonia 2023

Session Management

Controlling and monitoring user sessions to ensure secure and authorized access during a specific time period. Prevents unauthorized access by terminating sessions when not in use and managing session lifetimes.

INs and OUTs (section under development)

coming in

going out

Controls to review

regulation, documentation, reports