The Development of Access Control Policies for Information Technology Systems

doi:10.1016/S0167-4048(02)00414-5

Computers & Security

Volume 21, Issue 4, 1 August 2002, Pages 356-371

https://doi.org/10.1016/S0167-4048(02)00414-5 Get rights and content

Abstract

The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.

Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systems

This investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems.

Introduction

Security theories determine the types of security controls that are appropriate for the protection of the information assets of an organisation, and these controls in turn will be reflected in the policies that are developed to implement these strategies. The approaches to the development of the access control policies will generally depend upon on strategies that have been developed in physical security and business contingency management.

Prior to the 1980s, many organisations operated large centralised computing environments that were centrally managed, and from a security perspective were relatively easy to control [1]. The majority of organisations relied on physical security measures to protect their computer processing installations, and the communication environments were simple proprietary-wide area networks (WANs) that generally did not provide external access to other networked environments. Security control mechanisms were also easier to implement as system originators such as IBM recognised the need to implement specific security control points within their operating systems to cater for their customer requirements for more effective security and access controls. In fact, IBM introduced the System Authorization Facility (SAF) as a component of their major mainframe operating system, MVS. This facility was used to provide a focal point for security authorisations within the MVS operating system. The need to control access to the operating systems was well recognised, and has resulted in mature security product developments such as RACF and ACF2 in the MVS world. These security solutions are able to integrate with other system utilities and business application solutions to implement secure, centralised access controls over system and network access within the mainframe environment.

During the 1980s and 1990s there has been a significant shift away from centralised mainframe systems to more distributed computing environments incorporating:

•
Personal Computer (PC) systems.
•
Local Area Networks (LANs) and Wide Area Networks (WANs).
•
Distributed and disparate systems.
•
Proprietary and non-proprietary networking protocols.
•
Interconnection of disparate network environments.

This shift towards distributed environments also resulted in a number of inherent security risks in the systems such as:

•
Use of insecure operating systems such as MS-DOS and early versions of UNIX.
•
Inadequate or nonexistent installation of network and operating system security controls.
•
Lack of understanding or awareness of security exposures associated with new and developing technologies.
•
Lack of security policies covering the security management of the new distributed system environments.

Although these security risks existed, many organisations recognised the tremendous advantages that the new distributed technologies provided, and moved their critical business application processing from the centralised mainframe environments to distributed network environments. In recent times, the capability to conduct effective systems management activities [2], including maintaining security access controls, across organisations distributed enterprise systems has raised concerns. System software vendors have recognised both the need and the enormous market potential, and are now developing products that allow companies to implement enterprise security solutions [3].

The dynamic evolutionary nature of computing developments requires that security policies be continually developed to address the significant changes that are constantly occurring. For example, the advent of the Internet has forced businesses to connect their previously isolated systems to the Internet in an effort to gain a competitive advantage, or meet competitor challenges. Many of the systems connected to the Internet have not addressed, or have not been capable of addressing, access control security appropriately [4]. As a result many organisations have had their systems accessed by unauthorised individuals to the detriment of the organisation [5], [6].

It is important to understand that in many distributed environments, organisations shifted responsibility for systems and security management from the centralised IT department to the individual business units. The security access control policies developed for the IT department were not, in many cases, binding on the business units and this practice could have resulted in inconsistencies on the levels of controls implemented on systems across the enterprise.

The inconsistent implementation of security management controls is considered a major risk in today’s networked environments. This has become a significant issue, as there is no benefit in installing sophisticated access controls on one system to create a “trusted environment” when those controls can be simply bypassed by an unauthorised user gaining access to that “trusted environment” through a gateway connected system which has inadequate controls installed.

What is clear, however, is that every network and system access point that provides connectivity with external network environments can be used to gain unauthorised access to company systems and information. Development of access control policies to protect all systems is essential in implementing effective internal control processes consistently across all systems.

Section snippets

IT Security Issues

The issue of security is one that can be easily misconstrued by both management and staff alike. As with most facets of management activity, implementation of controls on information systems is not a technical problem but a people problem, as individuals with sufficient motive and desire can, and will, find ways to circumvent technical control mechanisms [7][8].

Access Control Policies

Most organisations are dependent on computing systems to provide them with the quality information necessary to conduct their business operations and decision-making activities. These information systems and the information contained within them are often critical to the ongoing success and viability of a company. As with other critical assets, they should be afforded risk control strategies to ensure that all information system resources are provided with an appropriate level of protection [14]

Security Solution Directions

Corporate information system architectures have altered considerably in the last 10 years. During the 1980s and 1990s, there was a significant shift away from centralised mainframe systems to more distributed computing environments using:

•
Personal Computer (PC) systems.
•
Local Area Networks (LANs) and Wide Area Networks (WANs).
•
Distributed and disparate systems.
•
Proprietary and non-proprietary networking protocols.
•
Interconnection of disparate network environments.

Unfortunately these system

Development of Policies

A set of IT security policies have been developed to indicate the appropriate approach for comprehensive protection of the information assets of the organisation. The policies have been categorised according to function in the asset protection strategy.

Conclusion

The protection of the IT assets of an organisation is crucial for the maintenance of business continuity. The development of appropriate security policies to guide the implementation of security for the protection of assets is an important phase of the risk management strategy. These policies for the protection of IT assets of the organisation should be communicated to all personnel. In particular, the business areas should accept ownership of their systems, provide commitment to the

Clifton L Smith

Dr Clifton Smith is the Associate Professor, Security Science in the School of Engineering and Mathematics, Edith Cowan University, Perth, Western Australia. Professor Smith conducts research in IT security, biometric imaging, and security education, and he has developed the professional security programmes of Bachelor of Science (Security), Master of Science (Security Science), and Doctor of Philosophy (Security Science).

References (15)

Caelli W., Longley D. and Shain M. Information Security Handbook, Macmillan Press Ltd: New York,...
Bayuk, J.L. (2001). Security metrics: How to justify security dollars and what to spend them on. Computer Security...
Magklaras, G.B. and Furnell, S.M. (2002). Insider threat prediction tool: Evaluating the probability of IT misuse....
Cheswick W. and Bellovin S. Firewalls an Internet Security — Repelling the Wily Hacker, Reading: Addison-Wesley,...
Stoll C. The Cuckoo's Egg. London: The Bodley Head Ltd.,...
Flohr U. Bank Robbers Go Electronic, Byte, http://www.byte.com/art/9511/sec3/art11.htm,...
Gaudin, S. (20000. Case study of insider sabotage: The tim Lloyd/Omega case. Computer Security Journal, 16(3),...

There are more references available in the full text version of this article.

Cited by (38)

A novel deep learning based security assessment framework for enhanced security in swarm network environment
2022, International Journal of Critical Infrastructure Protection
Security assessments are essential in network systems to improve the reliability of the environment. This study presents a deep learning-based security assessment model as a proactive approach for monitoring network activities. This approach can improve security across the network environment and connected computing infrastructures by detecting and classifying various types of security attacks. Deep learning is one of the emerging solutions for integrating intelligent and smart techniques into traditional solutions for improving the performance of security detection. Leveraging a multilayer perceptron (MLP) combined with an XGBoost classifier for large-scale data processing and classification, the performance of the approach demonstrated an accuracy of 93.30% and a precision of 92.73% for malicious attack detection.
Requirements for computerized tools to design information security policies
2020, Computers and Security
Citation Excerpt :
As an information security policy user, I can read information security policy content that is based on identified risks related to the organization. Existing ISP research emphasizes the importance of clarifying responsibilities concerning information security, where an ISP must explain the responsibilities and expectations of all roles in an organization (e.g., Simms, 2009; Lindup, 1995; Palmer et al., 2001; Whitman, 2004; Höne and Eloff, 2002a; Ward and Smith, 2002; Maynard and Ruighaver, 2006). Lindup (1995) argued that having clearly defined roles and responsibilities leads to fewer misunderstandings about information security in everyday activities.
Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challenging task for information security managers and to ease the burden, computerized tools have been suggested to support this design task. One important prerequisite for developing such tools is the requirements. However, existing research has, to a very limited extent, synthesized existing requirements. Against this backdrop, this study aims to elicit a set of requirements, anchored in existing ISP research, for computerized tools that support ISP design. First, we summarize existing ISP research into 14 requirement themes. Second, we suggest a set of user stories that operationalize these requirement themes from an information security manager's perspective. Third, we suggest another set of user stories that operationalize the same requirement themes from an ISP user's perspective. In total, we suggest 28 user stories that can act as a starting point for both researchers and practitioners when developing computerized tools that provide ISP design support for information security managers.
State of the art in information security policy development
2020, Computers and Security
Citation Excerpt :
However, providing general principles for policies becomes challenging when organizations move to more complex and decentralized IS. Ward and Smith (2002) proposed a set of eight indicative policies for organizations with distributed systems. Lindup (1995), on the other hand, recommended a security treaty for organizations, which comprises of independent units to highlight the individual needs as well as common goals of the units.
Despite the prevalence of research that exists under the label of “information security policies” (ISPs), there is no consensus on what an ISP means or how ISPs should be developed. This article reviews state-of-the-art ISP development by examining a diverse sample of literature on the subject. The definition and function of an ISP is studied first, revealing a rich tapestry of different notions behind the same term. When looking at the broad picture of the research on ISP development methods, we find different phases and levels of detail. Analyzing the different views on the content, context, and strategy alignment provides for further understanding on the complexity of the matter. As an outcome, we raise issues in ISP definitions and development methods that should be addressed in future research and practical applications. This review concludes that for state-of-the-art ISP development, the focus should shift more toward organization-specific information security needs, as the direction of the current research is still lacking contributions that would show how contextual factors could be successfully integrated into ISP development.
Human resource information systems: Information security concerns for organizations
2013, Human Resource Management Review
Citation Excerpt :
If limited to a single department HRIS exhibits a high sense of physical security. Whereas e-HR systems are of a distributed nature, and there may be perceptions about them being insecure based on lack of access control levels of employees (Ward & Smith, 2002). According to Wheatman (2010), some of the roles that may need to be watched are privileged users, legitimate end users, and developers and system analysts.
We explore HRIS and e-HR security by presenting information security fundamentals and how they pertain to organizations. With increasing use of enterprise systems such as HRIS and e-HR, security of such systems is an area that is worthy of further exploration. Even then, there is surprisingly little research in this area, albeit that extensive work is present in regard to HRIS privacy. While focusing on HRIS and e-HR security, we introduce aspects of HRIS and e-HR security and how it can be enhanced in organizations. A research model is also presented along with propositions that can guide future research.
Improved multilevel security with latent semantic indexing
2012, Expert Systems with Applications
Multilevel security (MLS) is specifically created to protect information from unauthorized access. In MLS, documents are assigned to a security label by a trusted subject e.g. an authorized user and based on this assignment; the access to documents is allowed or denied. Using a large number of security labels lead to a complex administration in MLS based operating systems. This is because the manual assignment of documents to a large number of security labels by an authorized user is time-consuming and error-prone. Thus in practice, most MLS based operating systems use a small number of security labels. However, information that is normally processed in an organization consists of different sensitivities and belongs to different compartments. To depict this information in MLS, a large number of security labels is necessary.
The aim of this paper is to show that the use of latent semantic indexing is successful in assigning textual information to security labels. This supports the authorized user by his manual assignment. It reduces complexity by the administration of a MLS based operating system and it enables the use of a large number of security labels. In future, the findings probably will lead to an increased usage of these MLS based operating systems in organizations.
Using accountability to reduce access policy violations in information systems
2013, Journal of Management Information Systems

View all citing articles on Scopus

Clifton L Smith

Peter Ward

Mr Peter Ward is a graduate of the Bachelor of Science (Security) course at Edith Cowan University, Perth, Western Australia. Mr Ward is an IT security consultant in the financial and banking industry, specialising in the development of policy for access control of propriety information.

View full text