IntroductionAccess control management is one of the most important features to ensure the security of an organization's assets. Controlling access to a company's physical and technological assets can become very complex depending on the size and scope of the company. Access control defined by Techopedia, “a means of limiting access to a system or to physical or virtual resources”. (Access Control, 2014) In order to analyze access control management technologies, we must first describe the key principles of security and how they evaluate access control technologies. Known as the CIA Information Security Triad, confidentiality, integrity, and availability are the criteria by which security access controls are evaluated. Following each of these principles every time when implementing a new access control model will ensure the security of the organization's assets. Access control management depends on identification, authentication and authorization. Identification is the way in which a person is recognized as a requester or subject. A requester is an unverified entity that seeks access to an object. An object is an asset that the company owns and for which access controls are in place. Identification can come from many different methods such as ID cards or smart cards, biometric devices, PIN and usernames. Once an identification mechanism has been addressed, the authentication process begins. Authentication validates the applicant's identification using one of three authentication factors; something the requester knows which could be a password or passphrase, something the requester has which could be a smart card, or something the requester is, a biometric device. Some access control systems may require more paper. State laws may limit the number of records that can be viewed by any of its employees. This means that a bank employee can have access to their own customer base, but they should not be allowed access to the same type of customers at a branch in another country. (Rjaibi & Bird, 2004, August) Mandatory access controls do not limit based on the attributes associated with an object, the physical location in this example. There, a classification label on the subject, customer account and authorization level label of the subject, bank employee, would not limit the bank employee's access to the customer account based on the physical location attribute. The principle of availability and confidentiality is not fully covered by mandatory access controls because access cannot be determined based on the attributes of this model and could allow access where access should not be granted..