I. Describe how technical controls are essential in enforcing policy for many IT functions that do not involve direct human control.
II. Explain the concept of technical control solutions, which when properly implemented, can improve an organization’s ability to balance the often conflicting objectives of making information more readily and widely available against increasing the information’s levels of confidentiality and integrity.
III. Illustrate that access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization.
IV. Remind students that there are two general types of access control systems: discretionary and nondiscretionary.
• Discretionary access controls are ones that are at the judgment or option of the user. The most common example is Microsoft Windows.

• Nondiscretionary access controls are ones that are implemented by a central authority (e.g., IT department). These can be based on role-based access controls (RBAC) or task based access controls (TBAC) or a combination of both.
V. Discuss lattice-based access controls (LBACs). Explain that LBACs specify the level of access each subject has to each object, as implemented in access control lists (ACLs) and capability tables.
VI. Describe how Mandatory Access Control schemes use of data classification schemes for granting access to data. Also, mention that MACs are a form of lattice-based, nondiscretionary access controls.
VII. Introduce students to attribute-based access controls (ABACs), which represent a newer approach to lattice-based access controls promoted by NIST. Differentiate between the concepts of attributes and subject attributes.