A method and apparatus for determining access protection (96) includes receiving a plurality of access requests (84) corresponding to a plurality of masters (12, 14), determining access permissions (86), providing state information (60), determining access permissions (86) based on the access request (84), and selectively modifying the access permissions based on the state information (90). The state information (60) may relate to debug operation, operation from unsecure or unverified memories, memory programming, direct memory access operation, boot operation, software security verification, security levels, security monitor operation, operating mode, fault monitor, external bus interface, etc (88).