The Development of Access Control Policies for Information Technology Systems

Peter Ward andClifton L Smith‡

Edith Cowan University,School of Engineering and

MathematicsJoondalup Campus,Joondalup, Western

Australia 6027E-mail:

[email protected]

‡ Visiting Professor,Department of Electrical and

Electronic EngineeringNottingham Trent University,

Burton St, Nottingham, UK

Abstract

The identification of the major informationtechnology (IT) access control policies isrequired to direct “best practice” approacheswithin the IT security program of anorganisation. In demonstrating the need forsecurity access control policies in the ITsecurity program, it highlights the significantshift away from centralised mainframestowards distributed networked computingenvironments. The study showed that thetraditional and proven security control mech-anisms used in the mainframe environmentswere not applicable to distributed systems,and as a result, a number of inherent riskswere identified with the new technologies.

Because of the critical nature of theinformation assets of organisations, thenappropriate risk management strategies shouldbe afforded through access control policies tothe IT systems. The changing technology hasrendered mainframe centralised securitysolutions as ineffective in providing controls ondistributed network systems

This investigation revealed that the need forpolicies for access control of an informationsystem from corporate governance guidelinesand risk management strategies were requiredto protect information assets of anorganisation. The paper proposes a high levelapproach to implementing security policiesthrough information security responsibilities,management accountability policy, and otherbaseline access control security policiesindividual and distributed systems.

Keywords: Access control, IT policies,distributed systems, security policies, accesscontrol policies.

Introduction

Security theories determine the types of securitycontrols that are appropriate for the protectionof the information assets of an organisation, andthese controls in turn will be reflected in thepolicies that are developed to implement thesestrategies. The approaches to the developmentof the access control policies will generallydepend upon on strategies that have beendeveloped in physical security and businesscontingency management.

Prior to the 1980s, many organisations operatedlarge centralised computing environments thatwere centrally managed, and from a securityperspective were relatively easy to control [1].The majority of organisations relied on physicalsecurity measures to protect their computerprocessing installations, and the communicationenvironments were simple proprietary-wide areanetworks (WANs) that generally did notprovide external access to other networkedenvironments. Security control mechanismswere also easier to implement as systemoriginators such as IBM recognised the need toimplement specific security control pointswithin their operating systems to cater for theircustomer requirements for more effectivesecurity and access controls. In fact, IBMintroduced the System Authorization Facility(SAF) as a component of their majormainframe operating system, MVS. This facilitywas used to provide a focal point for securityauthorisations within the MVS operatingsystem. The need to control access to theoperating systems was well recognised, and hasresulted in mature security productdevelopments such as RACF and ACF2 in theMVS world. These security solutions are able to

356

The Development of AccessControl Policies forInformation TechnologySystems

Computers & Security Vol 21, No 4, pp356-371, 2002Copyright ©2002 Elsevier Science LtdPrinted in Great BritainAll rights reserved0167-4048/02US$22.00

Clifton L Smith

Dr Clifton Smith is theAssociate Professor, SecurityScience in the School ofEngineering and Mathematics,Edith Cowan University,Perth, Western Australia.Professor Smith conductsresearch in IT security,biometric imaging, andsecurity education, and hehas developed theprofessional securityprogrammes of Bachelor ofScience (Security), Master ofScience (Security Science),and Doctor of Philosophy(Security Science).

Peter Ward

Mr Peter Ward is a graduateof the Bachelor of Science(Security) course at EdithCowan University, Perth,Western Australia. Mr Wardis an IT security consultant inthe financial and bankingindustry, specialising in thedevelopment of policy foraccess control of proprietyinformation.

integrate with other system utilities andbusiness application solutions to implementsecure, centralised access controls over systemand network access within the mainframeenvironment.

During the 1980s and 1990s there has been asignificant shift away from centralisedmainframe systems to more distributedcomputing environments incorporating:

• Personal Computer (PC) systems.

• Local Area Networks (LANs) and WideArea Networks (WANs).

• Distributed and disparate systems.

• Proprietary and non-proprietary networkingprotocols.

• Interconnection of disparate networkenvironments.

This shift towards distributed environments alsoresulted in a number of inherent security risksin the systems such as:

• Use of insecure operating systems such asMS-DOS and early versions of UNIX.

• Inadequate or nonexistent installation ofnetwork and operating system securitycontrols.

• Lack of understanding or awareness ofsecurity exposures associated with new anddeveloping technologies.

• Lack of security policies covering thesecurity management of the new distributedsystem environments.

Although these security risks existed, manyorganisations recognised the tremendousadvantages that the new distributedtechnologies provided, and moved their criticalbusiness application processing from thecentralised mainframe environments todistributed network environments. In recenttimes, the capability to conduct effectivesystems management activities [2], including

maintaining security access controls, acrossorganisations distributed enterprise systems hasraised concerns. System software vendors haverecognised both the need and the enormousmarket potential, and are now developingproducts that allow companies to implemententerprise security solutions [3].

The dynamic evolutionary nature of computingdevelopments requires that security policies becontinually developed to address the significantchanges that are constantly occurring. Forexample, the advent of the Internet has forcedbusinesses to connect their previously isolatedsystems to the Internet in an effort to gain acompetitive advantage, or meet competitorchallenges. Many of the systems connected tothe Internet have not addressed, or have notbeen capable of addressing, access controlsecurity appropriately [4]. As a result manyorganisations have had their systems accessedby unauthorised individuals to the detriment ofthe organisation [5, 6].

It is important to understand that in manydistributed environments, organisations shiftedresponsibility for systems and securitymanagement from the centralised ITdepartment to the individual business units.The security access control policies developedfor the IT department were not, in many cases,binding on the business units and this practicecould have resulted in inconsistencies on thelevels of controls implemented on systemsacross the enterprise.

The inconsistent implementation of securitymanagement controls is considered a major riskin today’s networked environments. This hasbecome a significant issue, as there is no benefitin installing sophisticated access controls onone system to create a “trusted environment”when those controls can be simply bypassed byan unauthorised user gaining access to that“trusted environment” through a gatewayconnected system which has inadequatecontrols installed.

Access control policies for information technology systems

357

P. Ward and C.L. Smith

What is clear, however, is that every network and system access point that provides connectivity with external network environments can be used to gain unauthorised access to company systemsand information. Development of accesscontrol policies to protect all systems isessential in implementing effective internalcontrol processes consistently across allsystems.

IT Security Issues

The issue of security is one that can be easilymisconstrued by both management and staffalike. As with most facets of managementactivity, implementation of controls oninformation systems is not a technical problembut a people problem, as individuals withsufficient motive and desire can, and will, findways to circumvent technical controlmechanisms [7][8].

Why information systems security?

It is important to understand what informationsystems security means and how it affects theorganisation and people. The MacquarieDictionary provides a general broad descriptionof ‘freedom from danger, risk, etc.; safety:something that secures or makes safe; aprotection; a defence’; while Devargas [9]declares ‘the protection of information assetsfrom accidental or malicious unauthorizeddisclosure, modification, or destruction, or theinability to process that information is necessaryfor a secure system’.

Most current organisations are dependent oncomputing systems to provide them with thequality information necessary to conduct theirbusiness operations and decision-makingactivities. It is appropriate that computingresources and information be viewed as criticalassets and, as is the case with other criticalassets, they should also be afforded appropriaterisk control strategies.

The implementation of logical access controlson computer systems is considered an integralcomponent in the protection of systems andinformation. However, it is not appropriate toinstall controls in isolation, without firstidentifying what approaches should be adoptedin regard to security across the enterprise. Theseapproaches should be embraced within theorganisation’s overall business risk managementstrategies and defined in security policies thatdetail executive management directions on therelevant control issues.

Perceptions

While physical access controls such as locks,access keys and CCTV systems are moreevident, computer security access controlsystems are not well understood by people.Personnel are often unaware of security policiesand standards that relate to information systemsas computer security training is lacking. Manymanagers are inwardly focused and considerthat security can disrupt their operations. Oftenthey may not identify with the objectives ofaccess controls, while staff may consider thataccess controls are designed for surveillance,and ensure that they are working properly. Insome instances, these perceptions may besufficiently strong that the effectiveness ofsecurity mechanisms are deliberately bypassedor diminished by people; through sharing theirsystem logons and passwords, or writing theirpasswords down and placing them within easyreach of others.

The personnel of the organisation must beaware of their responsibilities for security, as thesuccess of an information system securityprogram is dependant on gaining thecommitment of all staff. It is theimplementation of controls, whether automatedor manual, that reduces the likelihood ofdisruptions to information systems to:

• maximise the availability of systems andinformation;

358



• provide assurance that the integrity ofsystems, processing and information ismaintained; and

• ensure that the confidentiality ofinformation is preserved.

The development and dissemination ofinformation systems access control policies isthe first step in providing an understanding ofthe need for security and the strategies forprotection. The IT security policies also providethe basis for displaying executive managementcommitment to IT security.

Risk Management

The protection of computer systems, computerapplications and the information residing onthese systems should be embraced within anorganisation’s overall business risk managementstrategies. Information must be considered as acritical asset and as such it is important that thethreats to those assets be carefully identifiedand measures implemented to negate orsignificantly reduce the impact of those threatsshould they materialize. The implementation ofprotective measures over company assets shouldnever be an arbitrary process, but one that takesinto account the value of assets and theircriticality to organisational success.

By applying risk management techniques toinformation assets, an organisation can conductanalysis to identify threats and the appropriatecountermeasures that provide a level ofprotection that is commensurate with the levelof risk.

Defence in Depth

The Defence in Depth principle has beenderived from physical security, and can beimplemented in application to informationsystems security. The DinD principle embracesthe following functions:

Deterrence — any action that discouragesunauthorised users from accessing informationsystems through fear.

Detection — actions that recognize unauthorisedaccess or violations of access privileges oninformation systems, and includes the capabilityto trace authorised access.

Delay — actions that impede the progress ofunauthorised users and reduces the amount ofdamage that occurs if unauthorised access issuccessful.

Response — actions necessary to trace intrudersor investigate breaches of security controls, andminimize potential damage to systems afterdetection.

The Defence in Depth principle is based on asuccession of barriers that includes the outerand inner perimeters of systems, the networkaccess points, the capability to logon to thesystem and business applications, use ofoperating system privileged functions, andaccess to the data resident on the system.Security policies provide direction on howaccess controls should be installed oninformation systems across the organisation[10].

Separation of Duties

The principle of separation of duties isconcerned with ensuring that the formalresponsibilities and activities of personnel aredefined so that appropriate checks and balancesare in place to ensure that no one person is in aposition to commit fraudulent or unauthorisedactivity.

This principle is particularly important inrespect to access on information systems sincethe capability to commit fraudulent orunauthorised activities in online systems canresult in significant losses. In this context it isessential that the functional roles of individualsbe segregated so that a person is not capable ofcompleting a given set of transactions withoutproper approval mechanisms. In effect, for afraud to be committed it would be necessary forcollusion to occur between two or moreindividuals. Although this principle is


359


considered to be a fundamental internal controlmechanism, it is often neglected byorganisations and can have significant anddisastrous ramifications for the business. TheBarings Bank in Singapore and the JapaneseDaiwa Bank financial losses were examples ofneglect of the separation of duties principle[11].

Need to Know

The need to know principle relates to thenecessity to provide access to systems andinformation based on their defined role or jobfunction within the organisation, and providespersonnel with access to perform their specificand normal work activities. The need to knowprinciple complements the separation of dutiesprinciple.

For this principle to be effective, it is essentialthat the responsibilities of each role andindividual access requirements are clearlydefined. Higher security controls andrestrictions should be applied to more sensitivesystem function capabilities and information. Itis not appropriate to provide access simplybecause of a person’s status or seniority withinthe hierarchy of the company [12].

Dual Control

Dual control involves separating or splittingfunctions with information so that individualsdo not have the capability of complete sensitivetransactions or have access to informationwhich would allow them commit fraudulentactivities. Examples of dual control forinformation systems are:

• The process of moving new or modifiedprograms into a live production systemshould only be performed when a minimumof two authorisations has been provided.

• The keys used for encrypting information,for example, bank customer’s ATM cardPersonal Identification Numbers (PINs),should always be split between two

individuals. If a key was held by oneindividual, then that person would havesufficient information to decrypt thesensitive PIN information, create duplicateATM cards, use the cards and validdecrypted PINs to access the accounts ofcustomers.

Accountability

The consequences for Chief Executive Officers(CEOs) who fail to manage areas of risks thatresult in significant losses could well be futurelitigation. Nowhere is this more evident thanthe current debate on the issues related tocorporate management responsibilities in regardto the Year 2000 (Y2K) so-called Millenniumbug. The issue for CEOs is most excellentlysummed up by Keen [13]:

“CEOs won’t be able to plead that they weren’tinformed of the issue; ignorance won’t be aplausible defense. They will have to show that,once informed, they personally acted as leadersin a business crisis: that they sanctioned thefull, needed investment for the technical work,ordered an in-depth business risk assessment(economic, safety, organizational, supply chain,contract performance and the like) and put inplace a contingency plan to handle any crisiscreated by the year 2000 fallout. The minutes oftheir top management meetings and boards ofdirectors meetings will be scrutinized forevidence of the attention they paid and theprogress reports they routinely got.”

Although lacking the high profile of the Y2Kproblem, it is equally incumbent on executivemanagement to manage and mitigate thesecurity risks associated with the use ofinformation systems to protect the computerprocessing capabilities and sensitive informationof the organisation.

Risk Management and InternalControl Methodologies

In addition to corporate governancerequirements, there is now consistent evidence

360



that organisations are being driven towards afocus on risk management through existing andevolving internal control strategies andstandards which are part of the normalprocesses associated with conducting business.

In the past companies placed a heavy relianceon the work of auditors as a risk controlstrategy. In the 1980s and 1990s there havebeen numerous examples of high profilecorporate failures. As a result there has beenmuch study, and a realisation that for riskmanagement strategies to be effective they mustbe implemented as internal controls within anorganisation’s daily business activities.

The following two internal control frameworksare being adopted and implemented byorganisations worldwide. They also provideemphasis on the need for policy developmentand access control activities required to protectthe integrity of internal information systems:

• Committee of Sponsoring Organizations ofthe Treadway Commission (COSO),Internal Control - Integrated Framework

In the USA in 1987, a group of leadingaccounting and finance bodies formed theCommittee of Sponsoring Organizations ofthe Treadway Commission (COSO). Thecommission was formed to investigate causalfactors behind fraudulent financial reportingand a spate of spectacular control failures inthe USA. A major objective of thecommittee was to assist public companiesimprove their systems for controlling risk.

The COSO report’s thrust is that of theintegration of controls into businessprocesses, then fewer controls werenecessary. The report included specificreferences to common processes involvedin information systems risk managementmethodologies such as the inherent need tomanage business risks.

• Control Objectives for Information andRelated Technology (CobiT)

CobiT was developed by the InformationSystems Audit and Control Association(ISACA) to provide organisations with acomprehensive framework of generallyapplicable IS security control practices forinformation technology. It is designed toprovide more focus on aligning IT controlobjectives with the business processes of anorganisation and will allow management tobenchmark its control environment tostandards of policy and good practicesimplemented worldwide.

The development of CobiT is such that itembraces many of the concepts of theCOSO report and other related IS auditingand accounting control standards. CobiThas been an internationally developedframework that has called upon specialistsacross ISACA chapters primarily in theUSA and Europe.

Access Control Policies

Most organisations are dependent on computingsystems to provide them with the qualityinformation necessary to conduct their businessoperations and decision-making activities.These information systems and the informationcontained within them are often critical to theongoing success and viability of a company. Aswith other critical assets, they should beafforded risk control strategies to ensure that allinformation system resources are provided withan appropriate level of protection [14].

As security is a management problem and not atechnical problem, it is important thatmanagement provides and displays commitmentto the issue [12]. Policies contribute to theoverall management of information security byproviding clear statements on the approaches tobe taken in key areas to ensure protection ofinformation assets. Policies are important inthat they provide direction and define rules onhow an organisation wishes to operate. Withoutaccess control policies to provide direction, it is


361


likely that the protection provided forinformation assets would be inadequate andinconsistent. This deficiency could expose theorganisation to new threats and vulnerabilitiesthat could result in the confidentiality, integrityand availability of information systems beingcompromised [15].

The purpose of the policies developed in this

study was to define and document the guiding

principles by which all business units within an

organisation are required to comply, in

controlling access to information systems assets.

However, the extent of policy implementation

is determined by the size and complexity of the

organisation, where each policy is supported

and approved by the Executive Management

and the Board of Directors.

Policies should be aligned to the specific needs

of each organisation and define generic security

requirements for all computing environment

assets within the organisation, including:

• personnel involved in information systems

activities

• hardware including mainframe, mini and

personal computer systems, computer

peripheral devices and all

telecommunication and network

components

• software including the operating systems,

utilities, system support products,

application delivery systems, database

management systems and application

programs.

• data including information that is stored in,

or processed by systems or communicated

through network environments

Objectives

The development of objectives for the securityof IT in an organisation is crucial as theinformation assets must be protected. The majorobjectives of security policies are to:

• Provide direction and understanding on theneed for information systems asset securityand provide detail for senior managementsupport.

• Define the roles and responsibilitiesassociated with the management ofinformation systems security.

• Recommend baseline security standards andcontrols for information systems access.

• Assist the organisation to implementconsistent controls throughout theenterprise.

• Formalise and document security controlrequirements to aid in the internal andexternal review on the adequacy of plannedor implemented protection systems andmethodologies.

Security Solution Directions

Corporate information system architectureshave altered considerably in the last 10 years.During the 1980s and 1990s, there was asignificant shift away from centralisedmainframe systems to more distributedcomputing environments using:

• Personal Computer (PC) systems.

• Local Area Networks (LANs) and WideArea Networks (WANs).

• Distributed and disparate systems.

• Proprietary and non-proprietary networkingprotocols.

• Interconnection of disparate networkenvironments.

Unfortunately these system architecturesintroduced inherent security risks and untilrecently there were no effective securitymanagement solutions available.

In the past, security-aware organisationsimplemented controls on their isolated systemsusing either base operating system security

362



functions or implementing security softwaresolutions. These approaches can be referred toas point solutions as generally they wereconfined to the one system architecture orenvironment. For example in the MVSenvironment, RACF, ACF2 and TOP-SECRETwere used; for the TANDEM Guardianoperating system security then TANDEM’sSAFEGUARD product was utilized; for AS/400the OS/400 operating system security wasadopted; for WINDOWS/NT the operatingsystem security software was employed. Thedifficulty and complexity of managing securityfor these environments was further complicatedwhen considering the need to provide effectivesecurity over other products installed onsystems, such as relational databasemanagement systems, and the businessapplications themselves.

Clearly, the use of distributed networkenvironments using disparate system platformsrepresents a significant issue for thoseorganisations concerned about the security oftheir information systems.

More recently a number of software vendorssuch as Computer Associates (CA) with CA-Unicenter and Tivoli Systems with TME 10have developed products that providecentralised integrated security solutions forinformation system architectures that comprisedistributed computing environments usingdisparate systems. These products offerenhanced benefits in providing the mechanismsby which consistent security policies can becentrally implemented for distributedenterprise-wide information systems.

An Implementation Strategy

Because the security policies drive the lowerlevel security activities associated with actualimplementation of control measures, theprocesses of developing, approving anddisseminating policies is both a demanding andresource-intensive activity, and should beallowed for when developing detailed project

management plans. The following stratgeic planindicaties the stages required for theimplementation of security policies within anorganisation:

• Phase 1 - Project Initiation: The


363


Table 1: Information security responsibilities

INFORMATION SECURITY RESPONSIBILITIES

Objective

Define roles and responsibilities associated with effectively managing informationsystems security within the organisation.

Principle

All employees within the organisation have an obligation to adhere to informationsecurity policies. However, there are varying levels of responsibilities for eachindividual depending upon their role within the organisation and the designatedactivities associated with the performance of their position.

The processes required to support the implementation of security policies, standardsand procedures call for specific roles and responsibilities to be defined for all peopleinvolved in the development, implementation and use of information systems.

The security roles and responsibilities that apply are:

• Management

• Information asset owner

• Information asset owner representative

• User

• Information systems (IS) service provider

Table 2: The roles and responsibilities for management

MANAGEMENT ROLES AND RESPONSIBILITIES

Individuals who have been appointed to management positions are required to takea leadership role in regard to protecting assets of the organisation. These managersare responsible for:

• Identifying information assets for which they are accountable and definingprotection requirements.

• Authoring use of information assets.

• Assigning ownership authority for specific information assets.

• Ensuring that control policies and procedures are implemented and maintained.

• Ensuring personnel under their control are educated and aware of the need for,and apply, information asset protection policies, standards and procedures.

• Responding immediately to occurrences involving breaches of security orimplementing corrective action to resolve identified information asset securityexposures.

• Conducting security compliance self assessments.

• Approving system, application, network and information security control plansand risk assessment/acceptance reports.

• Ensuring business continuity and contingency plans are developed, implementedand tested for critical information systems, applications and networks.

appointment of a project team and steeringcommittee comprising managerrepresentatives is necessary.

• Phase 2 - Security Policy Development:The development of security policies indetail, according to a theory or set ofprinciples, to protect the assets of the

364



Table 3: The roles and responsibilities for the information asset owner

INFORMATION ASSET OWNER ROLES AND RESPONSIBILITIES

The information asset owner is a manager or management representative authorised to make andcommunicate judgements and decisions regarding the identification, classification and protectionof information assets for which they are accountable. The Information asset owners areresponsible for:

• Assessing the asset's value and importance.

• Classifying assets and specifying the appropriate security control requirements.

• Ensuring that effective and efficient information asset protection measures are implemented tocontrol access and meet specified requirements.

• Authorising access and assigning custody of information assets.

• Conducting periodical reviews of classification and control decisions.

• Participating in risk assessment and risk acceptance of information assets.

• Identifying security exposures, asset misuse or non-compliance with policies and advising.management as soon as an occurrence is recognised.

Table 4: The roles and responsibilities for the information asset owner representative

INFORMATION ASSET OWNER REPRESENTATIVE ROLES AND RESPONSIBILITIES

Information asset owner representatives are managers or management representatives appointedby an owner to communicate decisions regarding asset protection requirements and authorisationof access requests on behalf of the owner.

Owner representatives are defined to provide owners with the capability to delegate a sub-set ofresponsibilities to others who may be better placed to perform the relevant activities. Delegationdoes not abrogate the owner's responsibilities to ensure that information assets under theircontrol are properly protected. Information asset owner representatives are responsible for:

• authorising access and assigning custody of information assets.

• specifying the appropriate security control requirements.

• identifying security exposures, asset misuse or non-compliance with policies and advisingmanagement as soon as an occurrence is recognised.

Table 5: The roles and responsibilities for the user

USER ROLES AND RESPONSIBILITIES

A user is any person or organisation using the organisation's information system asset resources.Users are responsible for:

• Complying with information asset security, policies, standards and procedures.

• Using information assets only when authorised and only for approved purposes.

• Ensuring that the use of individual system logon identifiers and passwords are not shared withother people. Passwords should meet access policy requirements and never be disclosed to anyother person.

• Ensuring that they use control functions and capabilities effectively.

• identifying security exposures, asset misuse or non-compliance with policies and advisingmanagement as soon as an occurrence is recognised.

organisation. This will involveconsultation with interested and affected parties, so that negotiation maybe necessary to defend the policyobjectives.

• Phase 3 - Consultation and ApprovalProcess: Consultation with managementrepresentatives for approval of policies fromBoard of Directors is crucial for the successof the security strategy.

• Phase 4 - Security awareness and policyeducation: Security awareness training andpolicy education sessions should beconducted with all affected groups anddepartments in the organisation.

• Phase 5 - Disseminate Policies: Thedissemination of the developed policiesthrough the organisation is essential foreffective impact.

Development of Policies

A set of IT security policies have beendeveloped to indicate the appropriateapproach for comprehensive protection of the information assets of the organisation.

The policies have been categorised accordingto function in the asset protection strategy.

Information Security Responsibilities

The personnel and organisations responsible forinformation security have been determined tobe management, the information asset owner,the information asset owner representative, theuser, and the information systems serviceprovider. The Table 1 describes the objectiveand principle of information securityresponsibilities.

Roles and Responsibilities

The follow information systems security rolesand responsibilities apply to management, theinformation asset owner, the information assetowner representative, the user, and theinformation systems service provider. TheTable 2 describes the roles and responsibilitiesfor management, Table 3 for the informationasset owner, Table 4 for the information assetowner representative, Table 5 for the user, andTable 6 for the information systems serviceprovider.

Information security policies have beendeveloped for the following personnel and


365


Table 6: The roles and responsibilities for the information systems service provider

INFORMATION SYSTEMS SERVICE PROVIDER ROLES AND RESPONSIBILITIES

The IS service providers are suppliers of information asset services to support the businessfunctions of the organisation. An IS service provider for information asset security is responsiblefor:

• Identifying information asset security control solutions, defining system security architecturesand providing strategic directions on security developments.

• Communicating control processes, procedures and restrictions that are applicable to thesystem environments of owners and users.

• Providing and administering owner-specified information asset security and access controls forinformation assets.

• Ensuring that owners are advised of any planned changes to the system environment orsecurity product solutions that may affect the security of assets under their control.

• Ensuring that physical and procedural controls of information assets are enforced.

• Providing for timely detection and effective response to any violation of implementedinformation asset security controls.

• Identifying security exposures, asset misuse or non-compliance with policies and advisingowners and management as soon as an occurrence is recognised.

366



Table 7: The management accountability policy

MANAGEMENT ACCOUNTABILITY POLICY

Objective

To define managerial accountability and responsibilities in regard to information asset protection

Principle

Organisations should identify and protect all assets that are critical to their operations. Physicalassets, relevant physical access control measures, and replacement costs are readily identifiable.However, the value of the processes associated with information systems is more difficult todetermine.

Management is responsible for the protection of company assets, and should develop policies thatensure this outcome.

Policy

Management, at all levels within the organisation, has a fundamental responsibility to protectcompany assets. This includes the personnel, financial, hardware, software and data assets forwhich they are accountable. Managers are responsible for:

• identifying critical business assets for which they are accountable and ensuring controls areimplemented to provide an appropriate level of protection.

• implementing secure systems, processing and procedures that adhere to information systemssecurity policies.

• ensuring that all personnel are aware, and understand the need to protect company assets,including information.

• recognising existing security measures ensuring that do not provide the adequate levels ofcontrol or do not meet defined policy objectives and, where appropriate, undertakingcorrective actions.

• reporting of information systems security exposures, misuse or non-compliance to seniormanagement to ensure that organisational, policy, technical or procedural changes can beimplemented to address the relevant issue.

organisations in information assets protection:the management accountability policy (Table7), the information systems security policy(Table 8), the system access control policy(Table 9), the personnel security policy (Table 10), the physical and environmentalpolicy (Table 11), the telecommunicationssecurity policy (Table 12), the informationclassification policy (Table 13), and the business continuity planning policy (Table 14).

The policies are intended to be indicative ofrequirements for the protection of IS assets inan organisation.

Conclusion

The protection of the IT assets of anorganisation is crucial for the maintenance ofbusiness continuity. The development ofappropriate security policies to guide theimplementation of security for the protection ofassets is an important phase of the riskmanagement strategy. These policies for theprotection of IT assets of the organisation shouldbe communicated to all personnel. In particular,the business areas should accept ownership oftheir systems, provide commitment to thedevelopment of policies and encourage andinsist that control mechanisms be established toprotect their critical IS assets and resources.


367


Table 8: The information systems security policy

INFORMATION SYSTEMS (IS) SECURITY POLICY

Objective

To provide management direction, commitment and support for information systems security within the organisation.

Principle

All information stored, processed by, or communicated through information systems has a value to the organisation. Much of thisinformation represents critical data required by the organisation to conduct the business and business support activities associated withmaintaining the ongoing viability and success of the company.

Information and information systems must be viewed as critical assets that should be protected to:

• maximise the availability of systems and information.

• provide assurance that the integrity of systems, processing and information is maintained.

• ensure that the confidentiality of information is preserved.

The Information Systems (IS) Security Policy defines executive management's high commitment to the direction on the organisation'sapproach to information systems security.

Policy

Information is a valuable corporate asset, and as such, steps shall be taken to protect it from unauthorised modification, destruction, ordisclosure whether accidental or intentional.

Information assets will be subject to risk assessment, and control measures will take into account the organisation's legislative andcorporate regulatory obligations, customer expectations and business requirements.

The cost of such protection should be commensurate with the value of the information and the probability of the occurrence of a threat.

Table 9: The system access control policy

SYSTEM ACCESS CONTROL POLICY

Objective

To control access to the organisation's systems, applications, networks and information systems assets.

Principle

The implementation of protection measures provides an organisation with the capability to restrict the accidental or intentionalunauthorised use of, or alteration to, information assets.

Underlying the concept of access control is the need for the organisation to embrace the following control principles:

• defence in depth.

• separation of duties.

• need to know.

• dual control.

Policy

System access control measures will include:

• Access to organisation systems must be restricted and only authorised users are to be provided with access to information systems assets.

• Owners must be designated for all systems, applications, networks and information assets. If necessary, owners can nominate ownerrepresentatives to act on their behalf.

• Implementing systems security features and, if appropriate, installing additional products to support or enhance control functions.

• All systems must be capable of identifying and authenticating the identity of users prior to allowing access to system resources.

• Controls over sensitive programs, system functions and utilities must be implemented to prevent unauthorised use.

• Implementation of controls and provision of access to systems, applications, networks and information is to be determined by theirclassification and the security specifications provided by each owner.

• Key information that is considered critical in supporting the integrity of security systems, such as passwords, must be one-wayencrypted using industry standard algorithms such as DES or RSA.

368



Table 10: The personnel security policy

PERSONNEL SECURITY POLICY

Objective

To reduce the likelihood of employee related risks associated with human error, theft, fraud, or misuse of facilities.

Principle

The security of information systems and data is dependent upon the integrity, reliability and expertise of the people who manage andoperate them. The rapid technological advancements have created unparalleled opportunities for fraud, embezzlement, unauthoriseddisclosure, theft (software and hardware), and other abuses.

There is often a perception that information systems security issues can be resolved simply by implementing technical solutions. Thisattitude is flawed as certainly technical solutions contribute to security weakness in the overall management of information assetsecurity, but ultimately the success of any asset security program rests with the people working for the organisation. These groupsinclude direct internal employees of the organisation and external contractors and consultants.

It is therefore important that organisations implement personnel security policies that reduce the inherent risks associated with providingpersonnel with access to information systems.

Policy

Personnel security policies related to information systems assets will include:

• Security roles and responsibilities are to be defined within the job descriptions of all personnel working for the organisation.

• All applications for employment involving access to sensitive systems and information should be screened to ensure validity ofapplicants references, curriculum vitae, academic and professional qualifications and identity.

• All personnel should be provided with ongoing information asset security awareness and education.

• Confidentiality agreements to be signed by all personnel working for the organisation.

• All personnel have an obligation to report security related incidents such as security weaknesses, breaches of systems security andsoftware malfunctioning.

• All personnel will be subject to formal disciplinary actions in the event that they violate organisational security policies, standards andprocedures.

Table 11: The physical and environmental policy

PHYSICAL AND ENVIRONMENTAL SECURITY POLICY

Objective

To prevent unauthorised access, damage and interference to information system services. Environmental security includes the continuedoperation of the environment that houses the computer equipment, for example, air-conditioning and heating, and the ongoing provisionof utility services, such as electrical and water supplies.

Principle

Many organisations have a large investment in information systems and in the premises used to locate computer equipment. Thecontinuity of information system services is dependent upon the continued availability and operation of this equipment.

The restriction of physical access to computer facilities and equipment is an important method of control for protecting an organisationssensitive information systems and information.

The objectives of physical security measures are to prevent unauthorised access, theft, loss, illicit use and accidental or intentionaldamage occurring to information system assets.

The objective of environmental security is to ensure that computer equipment is located and protected in a way that reduces the risksfrom environmental hazards and disruptions to critical support services.

Policy

Physical security policies related to information assets include:

• The Defence in Depth principle should be applied to create layers of security perimeters around and within computer facilities.


369


Table 11 continued...

• Restricted zones should be created around critical information assets.

• Entry to secure areas should be protected by installing electronic access controls, mechanical locks, and deadbolts.

• Security containers should be used to store sensitive information, assets and media.

• Access to secure areas should be monitored using security personnel, electronic intrusion detection systems, closed circuit television(CCTV) and access control systems.

• A clear desk policy should be introduced to protect information from unauthorised access.

Environmental security policies related to information systems assets include:

• Computer communication equipment must be located in a place that is unlikely to experience natural or man-made disasters.

• Computer facilities must be protected against fire and water damage, vandalism and other threats.

• Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such aselectricity, air conditioning and telecommunication links.

• Power and telecommunication cabling should be protected from interception or damage.

• Computer facilities must be protected against fire and water damage, vandalism and other threats.

• Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such aselectricity, air conditioning and telecommunication links.

• Power and telecommunication cabling should be protected from interception or damage.

Table 12: The telecommunications security policy

TELECOMMUNICATIONS SECURITY POLICY

Objective

To protect information whilst being transmitted through a telecommunications network and protection of the components comprisingthe network infrastructure.

Principle

Many organisations are interfacing or connecting their existing systems to external network environments (for example, the Internet) and as such it is critical that the security issues relevant to controlling and restricting access internal systems be considered.

The process of interconnecting systems to established networks, or connecting to external networks requires that entry access points becreated into an organisation's systems or internal networks.

It is these access points that can provide unauthorised individuals with entry paths in an organisation's IT systems.

As well as the possibility of remote users accessing systems, the confidentiality and integrity of information on the network is at risk. Theavailability of the network can also be compromised.

Policy

Telecommunications security policies include:

• Communication systems features that address confidentiality, integrity and availability requirements shall be commensurate with therequirements of the application; e.g. authentication, error detection and correction, and alternate routing.

• A security audit of communications shall be conducted annually to review the implementation and effectiveness of the securityfeatures and access controls to systems and data resources.

• The assignment of network access privileges and control of proxy accounts and default network accounts for all network users shall becentrally controlled, authorized and documented.

• Passwords and other security-related information shall be encrypted.

• The transmission of all highly sensitive information must be protected by approved cryptography processes such as the DES or RSA.

The transmission of other sensitive information should be protected by controlled communications measures, such as:

• Dedicated circuits.

• Line encryption

370



Table 12 continued...

• External access control devices; for example, challenge/response systems, smart cards, tokens.

• External connections authenticated by dial-back systems.

• Computer communications equipment must be located in a place that is unlikely to experience natural or man-made disasters.

• Firewall systems and technologies must be used to isolate and secure trusted systems and networks from un-trusted systems andnetworks.

Table 13: The information classification policy

INFORMATION CLASSIFICATION POLICY

Objective

To ensure that information assets receive a level of protection that is commensurate with the business sensitivity or criticality of theinformation.

Principle

Information assets should be classified according to their criticality to the organisation so that the appropriate levels of controls can beimplemented for each set of information.

By classifying information and information systems, judgements can be made in regard to the types of controls required and moreimportantly who should be provided with access, and the appropriate level of access. Typically classifications might include levels such asunclassified, company confidential, and company secret.

It is important to understand that these classifications can have a significant role in both manual paper-based systems, as well ascomputer-based systems.

Policy

Information classification policies include:

• All information assets must have a designated owner who is responsible for classifying the information.

• Information assets shall be classified according to their confidentiality, integrity, availability and business value to the organisation.

Table 14: The business continuity planning policy

BUSINESS CONTINUITY PLANNING POLICY

Objective

To ensure plans are available to counteract or minimise the impact of interruptions to business activities caused by the unavailability ofinformation systems.

Principle

Business continuity planning is the process of implementing procedures to assure the availability of information system processingcapabilities in the event of a disaster situation.

This is a major issue in risk management as most organisations are so reliant on their information systems that a sustained outage couldthreaten the very existent of the company.

It is essential that contingency plans are established and thoroughly tested for all critical business and operation support systems.

Policy

Business continuity planning policies include:

• Business managers must identify their critical information systems, levels of service required and the maximum period ofunavailability for systems.

• Business managers must assign a processing priority to information systems for the purpose of determining backup and recoveryprocessing requirements.

• Continuity plans must be developed, documented and maintained to ensure that business units can continue to operate during andfollowing disaster situations.


371


References1. Caelli W., Longley D. and Shain M. Information Security

Handbook, Macmillan Press Ltd: New York, 1994.

2. Bayuk, J.L. (2001). Security metrics: How to justify securitydollars and what to spend them on. Computer SecurityJournal, 17(1), 1-12.

3. Magklaras, G.B. and Furnell, S.M. (2002). Insider threatprediction tool: Evaluating the probability of IT misuse.Computers & Security, 21(1), 62-73.

4. Cheswick W. and Bellovin S. Firewalls an Internet Security -Repelling the Wily Hacker, Reading: Addison-Wesley, 1995.

5. Stoll C. The Cuckoo's Egg. London: The Bodley Head Ltd.,1989.

6. Flohr U. Bank Robbers Go Electronic, Byte,http://www.byte.com/art/9511/ sec3/art11.htm., 1995.

7. Gaudin, S. (20000. Case study of insider sabotage: The timLloyd/Omega case. Computer Security Journal, 16(3), 1-9.

8. Lodin, S. (1999). Intrusion detection product evaluationcriteria. Computer Security Journal, 15(2), 1-10.

9. Devargas, M. The Total Quality Management Approach to ITSecurity, NCC Blackwell, 1995.

10. Garcia, M.L (2001XXX). YYY TTT OO PPP Boston:Butterworth-Heinemann.

11. Greenwald, J. A Blown Billion: Daiwa Bank's rogue employeeallegedly made 30,000 illicit trades. Why didn't anybodynotice? Time Magazine, 146 (15), 1995.

12. Pfleeger C. Security in Computing, New Jersey: PrenticeHall, 1989.

13. Keen P.G.W. Dear CEO: Welcome to 2001; See you in court.Computer World, 1997.

14. Herold, R. (2000). How to develop and communicatecompany privacy policies. Computer Security Journal,16(2), 1-10.

15. Brace, R.B. Intrusion Detection. Macmillan TechnicalPublishing, Technical series, IN, 2000: Chapter 5.

The Development of Access Control Policies for Information Technology Systems

Documents

Transcript of The Development of Access Control Policies for Information Technology Systems