Introduction The key issue that arises in the construction of an access control system (AC) is the question of security guarantees. Specifically, based on some particular policy AC is generated as access control system. At the same time all the requirements of the chosen policy of the AC are consistently implemented in the information security (IS) system. The question arises if the security system in the future will reliably and fully comply with all the requirements of the policy of AC, can it completely guarantee that in the future none of the existing or new threats, including using the AC system, will be successfully implemented by an attacker? Another question is: what should be the requirements to the policy of the AC system and, in general, to the information security policy of the organization so that such guarantees of the absence of a breach of the security regime in the future will be guaranteed? The main result These questions are the main objet of study in this paper. Let us consider which methods can provide such guarantees. When solving the problems of analysis, which are also the tasks of guarantees under consideration, logical-analytical, empirical-statistical or expert methods can be used. Empirical-statistical methods are based on experience in the practical use or operation of the system (in our case, AC system). However, even with extensive experience of the security system, there are no absolute guarantees that at some instance a new method for overcoming AC system will not be found. Therefore, empirical-statistical methods cannot be the basis for obtaining security guarantees in the future. The expert methods of obtaining security guarantees are even less convincing. Therefore, the only way to ensure security guarantees in the future is the use of logical-analytical methods. The method of obtaining guarantees is a strict mathematical proof that within the framework of some formalized model describing the policy of the AC system, the requirements of this policy comply with the rules and requirements established in the AC system and will not be violated at any time. Thus, to obtain security guarantees for meeting the requirements of the AC policy at any time in the future, it is necessary to formulate AC policy using some formalized model, within which it has been proved impossible to override the AC system at any time, provided that all requirements laid down in a formalized model and in the AC policy are implemented. Within the framework of the process approach to the construction of the AC system three main components were identified: - a set of subjects S, which may have access to the hardware and software resources of the data processing system; - a set of objects O of the data processing system (information resources and data, software, hardware and technical devices) that may be subject to the actions of at least one subject from S; - a set of access rights D = {d (s, o)} (that is, a set of access types) for each pair (s, o), s ∈ S, o ∈ O, each of these rights may have time limits; for example, it may be prohibited to read certain data during off-working and holiday time. It should be noted that the sets S and O intersect. For example, some executable program can be run or modified by another application (in particular, a Trojan or a virus program). Thus, the formalized model of intrusion protection based on the process approach is a triple set {S, O, D}. In this case, both the theory of graphs (the Take-Grand model), probabilistic models (model of information flows), and the theory of automata (the automaton model) can be used to formalize penetration-defense processes [1-3]. For the first time, this approach to the construction of AC systems was proposed and implemented in "Orange Book", where access control model was proposed that ensured information security guarantees in the future. However, this approach has not found any further effective development, and now it is of little use in providing information security. The main reason is: models, for which the property of providing security guarantees can be proven. are quite trivial and, therefore, not of interest to existing security systems. A formalized description of the access control process based on the {S, O, D} model is difficult in many cases, primarily because the description of each link from D is rather cumbersome. It should comprise all conditions for the implementation of this relationship and all the restrictions that are associated with it. Therefore, it is advisable to detail the formalized model as follows. Assume that D describes only the list of types of penetration (unauthorized access) for each pair of object-entity relationships. Next, we add to the model the sets R, C for each pair "object-subject"; that is, R = {R (s, o)} and C = {C (s, o)}, where for the subject s and the object o the expressions R (s, o) and C (s, o) contain an enumeration of constraints and conditions access the subject s to the object o, respectively. Under "restriction" we should understand the requirement that is imposed on the process of accessing data initially (by access time, by workstations and IP addresses, by working capabilities). Then the "condition" is the restrictions imposed on the process of access to data, which depend directly on the way data is processed and which can make changes to the conditions of penetration directly during the processing of data. Conditions can be tied to external factors at the current moment of work, to the current state of the data processing system and the security system. Finally, indication of the set of actions A (methods, techniques and technologies) that can be applied in the security system for establishing the case of penetration and changing the access conditions of the subject to the object [4], as applied to a specific subject-object pair for example, the "block process" action is not applicable to all possible processes or physical entities). This set of actions is especially important in the process of designing or modifying the AC system. We assume that A does not depend on the subjects and objects, to which the specific actions are applied. Note that the set A includes, in particular, possible methods, techniques and technologies to counter threats and attacks. Thus, proceeding from the above, the formalized access model M can be represented as a set of five components: M = {S, O, D, R, C, A}. The specific content of each of the components of the model is tied to a specific security object and IS requirements, as well as to the adopted security policy, if the same one presents at the protection object. The content of the first five components of the model is not critical. We focus on the content of the last component, which is the set of actions A. To arrange possible actions let us first single out systematization indices [4-6]. The paper gives the following four groups of indices as the most important according to the AC system: 1. The class of facilities, to which a certain action belongs. The class is determined by the type of facilities used and the actions associated with them which are relatively similar to all facilities and activities from the same class. Accordingly, the following classes of facilities for ensuring information security, including AC, are: hardware; organizational; technical; legal; cryptographic; engineering; moral and ethical. Clarification: a) the difference between hardware and technical means is, that hardware only function when the data processing system (e.g. access control cards) is running, and the technical facilities can operate, regardless of whether the data processing system is functioning or not; b) at present the boundary between software and hardware is relative (hardware can be implemented programmatically and, conversely, many software allow hardware implementation), they are often combined into one group of software and hardware; c) organizational means occupy an intermediate position between technical and legal means, that is why they are often taken as an individual class or combined with technical facilities and are titled as organizational and technical means or legal means. 2. Environment. There are the following main environments for influencing the AC process: information environment (global and local networks, workstations); physical environment (theft or damage to processing facilities and storage media); electromagnetic environment (information leakage through the channels of spurious electromagnetic emissions and interference (TEMPEST); legal environment (ownership of certain data). 3. Action mode. Two main modes of influence are distinguished: operational mode, when the factor's influence occurs directly during the operation of the data processing system; planned regime, where the impact of the factor may occur in the future, therefore, certain preventive actions are taken to eliminate (or, conversely, strengthen) this impact or to reduce (increase) the consequences and effects of the impact. Planned regime implies the following gradation: strategic; long-term; medium-term; short; annual; quarterly; monthly; weekly; daily; current. Note that the difference between strategic and long-term regimes can be expressed idiomatically: strategic mode is a view from the future to the present, and a long-term mode is a view from the present to the future. 4. Focus of actions. The following types of actions are selected in the process of AC: 1) authorization of the subject/object in the AC system - presentation by the user of his/her individual attributes in order to gain access and checking the presence of these attributes in the list of subjects by the system; 2) identification - verification of the presence of attributes, confirming (or proving in case of authentication) the correspondence of authorization attributes directly to the subject; 3) regulation - the establishment of certain restrictions for the species from the permitted types of access under the procedure for access of the subject to the facility; 4) management - control of the subject in the system for a given fixed set of characteristics; 5) support - continuous monitoring of the subject's actions in the data processing system; 6) limitation - the establishment of certain requirements associated with the process of the subject in the data processing system; 7) prioritization (separation and demarcation) - determining the order of access of the entities to the resources of the data processing system and limiting their ability to work in the system in order to completely isolate the processes associated with the operation of users in the data processing system; 8) detection of unauthorized actions - detection of events, agents or conditions that violate the established requirements and restrictions on data processing; 9) informing - transfer of information to a specified set of subjects in accordance with the established security policy of the regulations (first of all, notification of all responsible persons in the event of non-standard, in particular, emergencies or events); 10) localization of the negative impact zone - identification of the possible location of the source of negative impact (spyware, intruder, etc.) and the maximum possible limitation of all processes interaction in the data processing system; 11) isolation of the source of negative impact (in particular, an attacker) - creating obstacles for actors and processes located in the localization zone to penetrate into the part of the data processing system; 12) blocking - creating conditions in the data processing system, in which the source of the negative impact is not able to perform any significant actions in the data processing system; 13) neutralization - carrying out actions and measures that neutralize the source of negative impact; 14) termination - immediate completion of the processes in the data processing system (for example, if there are serious grounds for speculation about malicious penetration into the system or in case of emergencies); 15) checking the component status - permanent control (i.e. with a specified periodicity or based on a specified verification procedure), and auditing the status of all components of the data processing system and the information security system; 16) dispatching - logging, in which all events occurring in the data processing system during the system operation are recorded, according to the set of parameters and with the established format; 17) analysis - the formation of a list of problems and tasks to ensure information security, based on the study and understanding of all sources that reflect data processing and ensure information security in the system (in particular, event and security logs); 18) sound notification - activation of hardware and software for immediate notification of all persons in the control zone in the event of dangerous situations. The object penetration/protection event can be formalized as a combination of the individual values of each of the four indicators listed above, which generates an algorithm for the system behavior that requires comprehensive protection of information, where the word "complex" is understood as presence of action mechanisms in the system for any possible situation related to violation of the established data processing mode. For example, combination of the meaning "organizational" for the first indicator, "information environment" for the second indicator, "operational mode" for the third indicator and "blocking" for the fourth indicator implies the development of a document (instruction) that would describe the procedure for creating data processing algorithm, taking into account functionality of information systems, composition of active subjects at the time of blocking. At the same time, the number of possible combinations of the listed parameters is large for practical implementation of all possible options - 8 ∙ 3 ∙ 2 ∙ 18 = 864; there fore, in practice parameters are usually comprised into documents without detailed elaboration. Creation of requirements base covering all the possible situations and corresponding action mechanisms (in particular, countering malicious attacks), and periodic replenishment and refinement of this base is a prerequisite for the formation of algorithms for the standard information protection mechanisms. The main task of the IS system will be creating the number of actions from the specified base of rules that would fully cover all the problems of information security at a certain protection facility. The modern powerful computing means allow to automate many mechanisms and actions related to the process of providing information security. In particular, [7] there was proposed a system of distributed control of the AC process based on microprocessors. In this case, many of the options listed above can be solved at the level of individual microprocessors, especially in the operational mode, when the time factor is one of the decisive elements of the process of counteracting attacks. However, the creation of a complete project of such a system requires further research. Conclusion The paper considers one of the main problems of the AC system process, the problem of ensuring guarantees for the chosen security policy, where strict observance of all its requirements can prevent violation of the requirements of the adopted AC policy in the future. The solution of the problem is based on the use of models of threat formalization and preventive actions.