Logical access controls are used to control whether and how subjects (usually persons) are able to access objects (usually data). Logical access controls work in a number of different ways, primarily:
- Subject access. Here, a logical access control uses some means to determine the identity of the subject that is requesting access. Once the subject’s identity is known, the access control performs a function to determine if the subject should be allowed access the object. If the access is permitted, the subject is allowed to proceed; if the access is denied, the subject is not allowed to proceed. An example of this type of access control is an application that first authenticates a user by requiring a user ID and password before permitting the user to access the application.
- Service access. Here, a logical access control is used to control the types of messages that are allowed to pass through a control point. The logical access control is designed to permit or deny messages of specific types (and possibly it will also permit or deny based upon origin and destination) to pass. An example of this type of access control is a firewall or screening router that makes pass/block decisions based upon the type of traffic, origin, and destination.
An analogy of these two types of access is a symphony hall with a parking garage. The parking garage (the “service access”) permits cars, trucks, and motorcycles to enter, but denies oversized vehicles from entering. Upstairs at the symphony box office (the “subject access”), persons are admitted if they possess a photo identification that matches a list of prepaid attendees.
Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide