Correctly designed computer security systems provide three distinct levels of security. System trespassers must be able to pass through all three levels in order to access applications.

Level One - Site Access

Site access controls provide "physical" security against access to the location of the system. This can be thought of as the need to have a key to open the door to the office within which the computer and terminal reside.

For internal systems, these controls include securing access through physical means (locks, doors, etc.) to terminals and servers. For systems externally connected (for example, through communications links or the internet), this level of security can be provided by a firewall or call-back modem. These serve as "doors" into the system.

    For further information see:
        IS Physical Security

Level Two – System Access

System access controls provide security when users are allowed access to the system. For example, turning on the terminal should not give you direct access.

This control is usually provided through a logon and password. Higher levels of security can be accomplished through biometric devices or physical tokens such as ID cards or smart cards.

Level Three – Application Access

Once you have gained access to the system, there is still a third level of security that provides access to different programs and data based on the specific identity of the individual user.

This security may be provided through the same logon/password, a second (or more) password, a physical device (biometric, card, etc.), or by limiting access to specific physical devices (such as terminals or network addresses).