- Email: [email protected]
The Development of Access Control Policies for Information Technology Systems
The Development of Access Control Policies for Information Technology Systems Peter Ward and Clifton L Smith‡ Edith Cowan University, School of Engineering and Mathematics Joondalup Campus, Joondalup, Western Australia 6027 E-mail: [email protected] ‡ Visiting Professor, Department of Electrical and Electronic Engineering Nottingham Trent University, Burton St, Nottingham, UK
Abstract
Introduction
The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.
Security theories determine the types of security controls that are appropriate for the protection of the information assets of an organisation, and these controls in turn will be reflected in the policies that are developed to implement these strategies. The approaches to the development of the access control policies will generally depend upon on strategies that have been developed in physical security and business contingency management.
Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systems This investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems. Computers & Security Vol 21, No 4, pp356-371, 2002 Copyright ©2002 Elsevier Science Ltd Printed in Great Britain All rights reserved 0167-4048/02US$22.00
356
Keywords: Access control, IT policies, distributed systems, security policies, access control policies.
Prior to the 1980s, many organisations operated large centralised computing environments that were centrally managed, and from a security perspective were relatively easy to control [1]. The majority of organisations relied on physical security measures to protect their computer processing installations, and the communication environments were simple proprietary-wide area networks (WANs) that generally did not provide external access to other networked environments. Security control mechanisms were also easier to implement as system originators such as IBM recognised the need to implement specific security control points within their operating systems to cater for their customer requirements for more effective security and access controls. In fact, IBM introduced the System Authorization Facility (SAF) as a component of their major mainframe operating system, MVS. This facility was used to provide a focal point for security authorisations within the MVS operating system. The need to control access to the operating systems was well recognised, and has resulted in mature security product developments such as RACF and ACF2 in the MVS world. These security solutions are able to
P. Ward and C.L. Smith Access control policies for information technology systems
integrate with other system utilities and business application solutions to implement secure, centralised access controls over system and network access within the mainframe environment. During the 1980s and 1990s there has been a significant shift away from centralised mainframe systems to more distributed computing environments incorporating: • Personal Computer (PC) systems. • Local Area Networks (LANs) and Wide Area Networks (WANs). • Distributed and disparate systems. • Proprietary and non-proprietary networking protocols. • Interconnection of disparate network environments. This shift towards distributed environments also resulted in a number of inherent security risks in the systems such as: • Use of insecure operating systems such as MS-DOS and early versions of UNIX. • Inadequate or nonexistent installation of network and operating system security controls. • Lack of understanding or awareness of security exposures associated with new and developing technologies. • Lack of security policies covering the security management of the new distributed system environments. Although these security risks existed, many organisations recognised the tremendous advantages that the new distributed technologies provided, and moved their critical business application processing from the centralised mainframe environments to distributed network environments. In recent times, the capability to conduct effective systems management activities [2], including
maintaining security access controls, across organisations distributed enterprise systems has raised concerns. System software vendors have recognised both the need and the enormous market potential, and are now developing products that allow companies to implement enterprise security solutions [3]. The dynamic evolutionary nature of computing developments requires that security policies be continually developed to address the significant changes that are constantly occurring. For example, the advent of the Internet has forced businesses to connect their previously isolated systems to the Internet in an effort to gain a competitive advantage, or meet competitor challenges. Many of the systems connected to the Internet have not addressed, or have not been capable of addressing, access control security appropriately [4]. As a result many organisations have had their systems accessed by unauthorised individuals to the detriment of the organisation [5, 6]. It is important to understand that in many distributed environments, organisations shifted responsibility for systems and security management from the centralised IT department to the individual business units. The security access control policies developed for the IT department were not, in many cases, binding on the business units and this practice could have resulted in inconsistencies on the levels of controls implemented on systems across the enterprise.
Clifton L Smith Dr Clifton Smith is the Associate Professor, Security Science in the School of Engineering and Mathematics, Edith Cowan University, Perth, Western Australia. Professor Smith conducts research in IT security, biometric imaging, and security education, and he has developed the professional security programmes of Bachelor of Science (Security), Master of Science (Security Science), and Doctor of Philosophy (Security Science). Peter Ward Mr Peter Ward is a graduate of the Bachelor of Science (Security) course at Edith Cowan University, Perth, Western Australia. Mr Ward is an IT security consultant in the financial and banking industry, specialising in the development of policy for access control of propriety information.
The inconsistent implementation of security management controls is considered a major risk in today’s networked environments. This has become a significant issue, as there is no benefit in installing sophisticated access controls on one system to create a “trusted environment” when those controls can be simply bypassed by an unauthorised user gaining access to that “trusted environment” through a gateway connected system which has inadequate controls installed.
357
P. Ward and C.L. Smith Access control policies for information technology systems
What is clear, however, is that every network and system access point that provides connectivity with external network environments can be used to gain unauthorised access to company systems and information. Development of access control policies to protect all systems is essential in implementing effective internal control processes consistently across all systems.
IT Security Issues The issue of security is one that can be easily misconstrued by both management and staff alike. As with most facets of management activity, implementation of controls on information systems is not a technical problem but a people problem, as individuals with sufficient motive and desire can, and will, find ways to circumvent technical control mechanisms [7][8].
Why information systems security? It is important to understand what information systems security means and how it affects the organisation and people. The Macquarie Dictionary provides a general broad description of ‘freedom from danger, risk, etc.; safety: something that secures or makes safe; a protection; a defence’; while Devargas [9] declares ‘the protection of information assets from accidental or malicious unauthorized disclosure, modification, or destruction, or the inability to process that information is necessary for a secure system’. Most current organisations are dependent on computing systems to provide them with the quality information necessary to conduct their business operations and decision-making activities. It is appropriate that computing resources and information be viewed as critical assets and, as is the case with other critical assets, they should also be afforded appropriate risk control strategies.
358
The implementation of logical access controls on computer systems is considered an integral component in the protection of systems and information. However, it is not appropriate to install controls in isolation, without first identifying what approaches should be adopted in regard to security across the enterprise. These approaches should be embraced within the organisation’s overall business risk management strategies and defined in security policies that detail executive management directions on the relevant control issues.
Perceptions While physical access controls such as locks, access keys and CCTV systems are more evident, computer security access control systems are not well understood by people. Personnel are often unaware of security policies and standards that relate to information systems as computer security training is lacking. Many managers are inwardly focused and consider that security can disrupt their operations. Often they may not identify with the objectives of access controls, while staff may consider that access controls are designed for surveillance, and ensure that they are working properly. In some instances, these perceptions may be sufficiently strong that the effectiveness of security mechanisms are deliberately bypassed or diminished by people; through sharing their system logons and passwords, or writing their passwords down and placing them within easy reach of others. The personnel of the organisation must be aware of their responsibilities for security, as the success of an information system security program is dependant on gaining the commitment of all staff. It is the implementation of controls, whether automated or manual, that reduces the likelihood of disruptions to information systems to: • maximise the availability of systems and information;
P. Ward and C.L. Smith Access control policies for information technology systems
• provide assurance that the integrity of systems, processing and information is maintained; and • ensure that the confidentiality of information is preserved. The development and dissemination of information systems access control policies is the first step in providing an understanding of the need for security and the strategies for protection. The IT security policies also provide the basis for displaying executive management commitment to IT security.
Risk Management The protection of computer systems, computer applications and the information residing on these systems should be embraced within an organisation’s overall business risk management strategies. Information must be considered as a critical asset and as such it is important that the threats to those assets be carefully identified and measures implemented to negate or significantly reduce the impact of those threats should they materialize. The implementation of protective measures over company assets should never be an arbitrary process, but one that takes into account the value of assets and their criticality to organisational success. By applying risk management techniques to information assets, an organisation can conduct analysis to identify threats and the appropriate countermeasures that provide a level of protection that is commensurate with the level of risk.
Defence in Depth The Defence in Depth principle has been derived from physical security, and can be implemented in application to information systems security. The DinD principle embraces the following functions: Deterrence — any action that discourages unauthorised users from accessing information systems through fear.
Detection — actions that recognize unauthorised access or violations of access privileges on information systems, and includes the capability to trace authorised access. Delay — actions that impede the progress of unauthorised users and reduces the amount of damage that occurs if unauthorised access is successful. Response — actions necessary to trace intruders or investigate breaches of security controls, and minimize potential damage to systems after detection. The Defence in Depth principle is based on a succession of barriers that includes the outer and inner perimeters of systems, the network access points, the capability to logon to the system and business applications, use of operating system privileged functions, and access to the data resident on the system. Security policies provide direction on how access controls should be installed on information systems across the organisation [10].
Separation of Duties The principle of separation of duties is concerned with ensuring that the formal responsibilities and activities of personnel are defined so that appropriate checks and balances are in place to ensure that no one person is in a position to commit fraudulent or unauthorised activity. This principle is particularly important in respect to access on information systems since the capability to commit fraudulent or unauthorised activities in online systems can result in significant losses. In this context it is essential that the functional roles of individuals be segregated so that a person is not capable of completing a given set of transactions without proper approval mechanisms. In effect, for a fraud to be committed it would be necessary for collusion to occur between two or more individuals. Although this principle is
359
P. Ward and C.L. Smith Access control policies for information technology systems
considered to be a fundamental internal control mechanism, it is often neglected by organisations and can have significant and disastrous ramifications for the business. The Barings Bank in Singapore and the Japanese Daiwa Bank financial losses were examples of neglect of the separation of duties principle [11].
Need to Know The need to know principle relates to the necessity to provide access to systems and information based on their defined role or job function within the organisation, and provides personnel with access to perform their specific and normal work activities. The need to know principle complements the separation of duties principle. For this principle to be effective, it is essential that the responsibilities of each role and individual access requirements are clearly defined. Higher security controls and restrictions should be applied to more sensitive system function capabilities and information. It is not appropriate to provide access simply because of a person’s status or seniority within the hierarchy of the company [12].
Dual Control Dual control involves separating or splitting functions with information so that individuals do not have the capability of complete sensitive transactions or have access to information which would allow them commit fraudulent activities. Examples of dual control for information systems are: • The process of moving new or modified programs into a live production system should only be performed when a minimum of two authorisations has been provided. • The keys used for encrypting information, for example, bank customer’s ATM card Personal Identification Numbers (PINs), should always be split between two
360
individuals. If a key was held by one individual, then that person would have sufficient information to decrypt the sensitive PIN information, create duplicate ATM cards, use the cards and valid decrypted PINs to access the accounts of customers.
Accountability The consequences for Chief Executive Officers (CEOs) who fail to manage areas of risks that result in significant losses could well be future litigation. Nowhere is this more evident than the current debate on the issues related to corporate management responsibilities in regard to the Year 2000 (Y2K) so-called Millennium bug. The issue for CEOs is most excellently summed up by Keen [13]: “CEOs won’t be able to plead that they weren’t informed of the issue; ignorance won’t be a plausible defense. They will have to show that, once informed, they personally acted as leaders in a business crisis: that they sanctioned the full, needed investment for the technical work, ordered an in-depth business risk assessment (economic, safety, organizational, supply chain, contract performance and the like) and put in place a contingency plan to handle any crisis created by the year 2000 fallout. The minutes of their top management meetings and boards of directors meetings will be scrutinized for evidence of the attention they paid and the progress reports they routinely got.” Although lacking the high profile of the Y2K problem, it is equally incumbent on executive management to manage and mitigate the security risks associated with the use of information systems to protect the computer processing capabilities and sensitive information of the organisation.
Risk Management and Internal Control Methodologies In addition to corporate governance requirements, there is now consistent evidence
P. Ward and C.L. Smith Access control policies for information technology systems
that organisations are being driven towards a focus on risk management through existing and evolving internal control strategies and standards which are part of the normal processes associated with conducting business. In the past companies placed a heavy reliance on the work of auditors as a risk control strategy. In the 1980s and 1990s there have been numerous examples of high profile corporate failures. As a result there has been much study, and a realisation that for risk management strategies to be effective they must be implemented as internal controls within an organisation’s daily business activities. The following two internal control frameworks are being adopted and implemented by organisations worldwide. They also provide emphasis on the need for policy development and access control activities required to protect the integrity of internal information systems: • Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework In the USA in 1987, a group of leading accounting and finance bodies formed the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The commission was formed to investigate causal factors behind fraudulent financial reporting and a spate of spectacular control failures in the USA. A major objective of the committee was to assist public companies improve their systems for controlling risk. The COSO report’s thrust is that of the integration of controls into business processes, then fewer controls were necessary. The report included specific references to common processes involved in information systems risk management methodologies such as the inherent need to manage business risks. • Control Objectives for Information and Related Technology (CobiT)
CobiT was developed by the Information Systems Audit and Control Association (ISACA) to provide organisations with a comprehensive framework of generally applicable IS security control practices for information technology. It is designed to provide more focus on aligning IT control objectives with the business processes of an organisation and will allow management to benchmark its control environment to standards of policy and good practices implemented worldwide. The development of CobiT is such that it embraces many of the concepts of the COSO report and other related IS auditing and accounting control standards. CobiT has been an internationally developed framework that has called upon specialists across ISACA chapters primarily in the USA and Europe.
Access Control Policies Most organisations are dependent on computing systems to provide them with the quality information necessary to conduct their business operations and decision-making activities. These information systems and the information contained within them are often critical to the ongoing success and viability of a company. As with other critical assets, they should be afforded risk control strategies to ensure that all information system resources are provided with an appropriate level of protection [14]. As security is a management problem and not a technical problem, it is important that management provides and displays commitment to the issue [12]. Policies contribute to the overall management of information security by providing clear statements on the approaches to be taken in key areas to ensure protection of information assets. Policies are important in that they provide direction and define rules on how an organisation wishes to operate. Without access control policies to provide direction, it is
361
P. Ward and C.L. Smith Access control policies for information technology systems
likely that the protection provided for information assets would be inadequate and inconsistent. This deficiency could expose the organisation to new threats and vulnerabilities that could result in the confidentiality, integrity and availability of information systems being compromised [15]. The purpose of the policies developed in this study was to define and document the guiding principles by which all business units within an organisation are required to comply, in controlling access to information systems assets. However, the extent of policy implementation is determined by the size and complexity of the organisation, where each policy is supported and approved by the Executive Management and the Board of Directors. Policies should be aligned to the specific needs of each organisation and define generic security requirements for all computing environment assets within the organisation, including: • personnel involved in information systems activities • hardware including mainframe, mini and personal computer systems, computer peripheral devices and all telecommunication and network components • software including the operating systems, utilities, system support products, application delivery systems, database management systems and application programs. • data including information that is stored in, or processed by systems or communicated through network environments
Objectives The development of objectives for the security of IT in an organisation is crucial as the information assets must be protected. The major objectives of security policies are to:
362
• Provide direction and understanding on the need for information systems asset security and provide detail for senior management support. • Define the roles and responsibilities associated with the management of information systems security. • Recommend baseline security standards and controls for information systems access. • Assist the organisation to implement consistent controls throughout the enterprise. • Formalise and document security control requirements to aid in the internal and external review on the adequacy of planned or implemented protection systems and methodologies.
Security Solution Directions Corporate information system architectures have altered considerably in the last 10 years. During the 1980s and 1990s, there was a significant shift away from centralised mainframe systems to more distributed computing environments using: • Personal Computer (PC) systems. • Local Area Networks (LANs) and Wide Area Networks (WANs). • Distributed and disparate systems. • Proprietary and non-proprietary networking protocols. • Interconnection of disparate network environments. Unfortunately these system architectures introduced inherent security risks and until recently there were no effective security management solutions available. In the past, security-aware organisations implemented controls on their isolated systems using either base operating system security
P. Ward and C.L. Smith Access control policies for information technology systems
functions or implementing security software solutions. These approaches can be referred to as point solutions as generally they were confined to the one system architecture or environment. For example in the MVS environment, RACF, ACF2 and TOP-SECRET were used; for the TANDEM Guardian operating system security then TANDEM’s SAFEGUARD product was utilized; for AS/400 the OS/400 operating system security was adopted; for WINDOWS/NT the operating system security software was employed. The difficulty and complexity of managing security for these environments was further complicated when considering the need to provide effective security over other products installed on systems, such as relational database management systems, and the business applications themselves. Clearly, the use of distributed network environments using disparate system platforms represents a significant issue for those organisations concerned about the security of their information systems. More recently a number of software vendors such as Computer Associates (CA) with CAUnicenter and Tivoli Systems with TME 10 have developed products that provide centralised integrated security solutions for information system architectures that comprise distributed computing environments using disparate systems. These products offer enhanced benefits in providing the mechanisms by which consistent security policies can be centrally implemented for distributed enterprise-wide information systems.
An Implementation Strategy Because the security policies drive the lower level security activities associated with actual implementation of control measures, the processes of developing, approving and disseminating policies is both a demanding and resource-intensive activity, and should be allowed for when developing detailed project
management plans. The following stratgeic plan indicaties the stages required for the implementation of security policies within an organisation: • Phase 1 - Project Initiation: The Table 1: Information security responsibilities
INFORMATION SECURITY RESPONSIBILITIES Objective Define roles and responsibilities associated with effectively managing information systems security within the organisation.
Principle All employees within the organisation have an obligation to adhere to information security policies. However, there are varying levels of responsibilities for each individual depending upon their role within the organisation and the designated activities associated with the performance of their position. The processes required to support the implementation of security policies, standards and procedures call for specific roles and responsibilities to be defined for all people involved in the development, implementation and use of information systems. The security roles and responsibilities that apply are: • Management • Information asset owner • Information asset owner representative • User • Information systems (IS) service provider Table 2: The roles and responsibilities for management
MANAGEMENT ROLES AND RESPONSIBILITIES Individuals who have been appointed to management positions are required to take a leadership role in regard to protecting assets of the organisation. These managers are responsible for: • Identifying information assets for which they are accountable and defining protection requirements. • Authoring use of information assets. • Assigning ownership authority for specific information assets. • Ensuring that control policies and procedures are implemented and maintained. • Ensuring personnel under their control are educated and aware of the need for, and apply, information asset protection policies, standards and procedures. • Responding immediately to occurrences involving breaches of security or implementing corrective action to resolve identified information asset security exposures. • Conducting security compliance self assessments. • Approving system, application, network and information security control plans and risk assessment/acceptance reports. • Ensuring business continuity and contingency plans are developed, implemented and tested for critical information systems, applications and networks.
363
P. Ward and C.L. Smith Access control policies for information technology systems
appointment of a project team and steering committee comprising manager representatives is necessary.
• Phase 2 - Security Policy Development: The development of security policies in detail, according to a theory or set of principles, to protect the assets of the
Table 3: The roles and responsibilities for the information asset owner
INFORMATION ASSET OWNER ROLES AND RESPONSIBILITIES The information asset owner is a manager or management representative authorised to make and communicate judgements and decisions regarding the identification, classification and protection of information assets for which they are accountable. The Information asset owners are responsible for: • Assessing the asset's value and importance. • Classifying assets and specifying the appropriate security control requirements. • Ensuring that effective and efficient information asset protection measures are implemented to control access and meet specified requirements. • Authorising access and assigning custody of information assets. • Conducting periodical reviews of classification and control decisions. • Participating in risk assessment and risk acceptance of information assets. • Identifying security exposures, asset misuse or non-compliance with policies and advising. management as soon as an occurrence is recognised. Table 4: The roles and responsibilities for the information asset owner representative
INFORMATION ASSET OWNER REPRESENTATIVE ROLES AND RESPONSIBILITIES Information asset owner representatives are managers or management representatives appointed by an owner to communicate decisions regarding asset protection requirements and authorisation of access requests on behalf of the owner. Owner representatives are defined to provide owners with the capability to delegate a sub-set of responsibilities to others who may be better placed to perform the relevant activities. Delegation does not abrogate the owner's responsibilities to ensure that information assets under their control are properly protected. Information asset owner representatives are responsible for: • authorising access and assigning custody of information assets. • specifying the appropriate security control requirements. • identifying security exposures, asset misuse or non-compliance with policies and advising management as soon as an occurrence is recognised. Table 5: The roles and responsibilities for the user
USER ROLES AND RESPONSIBILITIES A user is any person or organisation using the organisation's information system asset resources. Users are responsible for: • Complying with information asset security, policies, standards and procedures. • Using information assets only when authorised and only for approved purposes. • Ensuring that the use of individual system logon identifiers and passwords are not shared with other people. Passwords should meet access policy requirements and never be disclosed to any other person. • Ensuring that they use control functions and capabilities effectively. • identifying security exposures, asset misuse or non-compliance with policies and advising management as soon as an occurrence is recognised.
364
P. Ward and C.L. Smith Access control policies for information technology systems
organisation. This will involve consultation with interested and affected parties, so that negotiation may be necessary to defend the policy objectives. • Phase 3 - Consultation and Approval Process: Consultation with management representatives for approval of policies from Board of Directors is crucial for the success of the security strategy. • Phase 4 - Security awareness and policy education: Security awareness training and policy education sessions should be conducted with all affected groups and departments in the organisation. • Phase 5 - Disseminate Policies: The dissemination of the developed policies through the organisation is essential for effective impact.
Development of Policies A set of IT security policies have been developed to indicate the appropriate approach for comprehensive protection of the information assets of the organisation.
The policies have been categorised according to function in the asset protection strategy.
Information Security Responsibilities The personnel and organisations responsible for information security have been determined to be management, the information asset owner, the information asset owner representative, the user, and the information systems service provider. The Table 1 describes the objective and principle of information security responsibilities.
Roles and Responsibilities The follow information systems security roles and responsibilities apply to management, the information asset owner, the information asset owner representative, the user, and the information systems service provider. The Table 2 describes the roles and responsibilities for management, Table 3 for the information asset owner, Table 4 for the information asset owner representative, Table 5 for the user, and Table 6 for the information systems service provider. Information security policies have been developed for the following personnel and
Table 6: The roles and responsibilities for the information systems service provider
INFORMATION SYSTEMS SERVICE PROVIDER ROLES AND RESPONSIBILITIES The IS service providers are suppliers of information asset services to support the business functions of the organisation. An IS service provider for information asset security is responsible for: • Identifying information asset security control solutions, defining system security architectures and providing strategic directions on security developments. • Communicating control processes, procedures and restrictions that are applicable to the system environments of owners and users. • Providing and administering owner-specified information asset security and access controls for information assets. • Ensuring that owners are advised of any planned changes to the system environment or security product solutions that may affect the security of assets under their control. • Ensuring that physical and procedural controls of information assets are enforced. • Providing for timely detection and effective response to any violation of implemented information asset security controls. • Identifying security exposures, asset misuse or non-compliance with policies and advising owners and management as soon as an occurrence is recognised.
365
P. Ward and C.L. Smith Access control policies for information technology systems
organisations in information assets protection: the management accountability policy (Table 7), the information systems security policy (Table 8), the system access control policy (Table 9), the personnel security policy (Table 10), the physical and environmental policy (Table 11), the telecommunications security policy (Table 12), the information classification policy (Table 13), and the business continuity planning policy (Table 14). The policies are intended to be indicative of requirements for the protection of IS assets in an organisation.
Conclusion The protection of the IT assets of an organisation is crucial for the maintenance of business continuity. The development of appropriate security policies to guide the implementation of security for the protection of assets is an important phase of the risk management strategy. These policies for the protection of IT assets of the organisation should be communicated to all personnel. In particular, the business areas should accept ownership of their systems, provide commitment to the development of policies and encourage and insist that control mechanisms be established to protect their critical IS assets and resources.
Table 7: The management accountability policy
MANAGEMENT ACCOUNTABILITY POLICY Objective To define managerial accountability and responsibilities in regard to information asset protection
Principle Organisations should identify and protect all assets that are critical to their operations. Physical assets, relevant physical access control measures, and replacement costs are readily identifiable. However, the value of the processes associated with information systems is more difficult to determine. Management is responsible for the protection of company assets, and should develop policies that ensure this outcome.
Policy Management, at all levels within the organisation, has a fundamental responsibility to protect company assets. This includes the personnel, financial, hardware, software and data assets for which they are accountable. Managers are responsible for: • identifying critical business assets for which they are accountable and ensuring controls are implemented to provide an appropriate level of protection. • implementing secure systems, processing and procedures that adhere to information systems security policies. • ensuring that all personnel are aware, and understand the need to protect company assets, including information. • recognising existing security measures ensuring that do not provide the adequate levels of control or do not meet defined policy objectives and, where appropriate, undertaking corrective actions. • reporting of information systems security exposures, misuse or non-compliance to senior management to ensure that organisational, policy, technical or procedural changes can be implemented to address the relevant issue.
366
P. Ward and C.L. Smith Access control policies for information technology systems
Table 8: The information systems security policy
INFORMATION SYSTEMS (IS) SECURITY POLICY Objective To provide management direction, commitment and support for information systems security within the organisation.
Principle All information stored, processed by, or communicated through information systems has a value to the organisation. Much of this information represents critical data required by the organisation to conduct the business and business support activities associated with maintaining the ongoing viability and success of the company. Information and information systems must be viewed as critical assets that should be protected to: • maximise the availability of systems and information. • provide assurance that the integrity of systems, processing and information is maintained. • ensure that the confidentiality of information is preserved. The Information Systems (IS) Security Policy defines executive management's high commitment to the direction on the organisation's approach to information systems security.
Policy Information is a valuable corporate asset, and as such, steps shall be taken to protect it from unauthorised modification, destruction, or disclosure whether accidental or intentional. Information assets will be subject to risk assessment, and control measures will take into account the organisation's legislative and corporate regulatory obligations, customer expectations and business requirements. The cost of such protection should be commensurate with the value of the information and the probability of the occurrence of a threat. Table 9: The system access control policy
SYSTEM ACCESS CONTROL POLICY Objective To control access to the organisation's systems, applications, networks and information systems assets.
Principle The implementation of protection measures provides an organisation with the capability to restrict the accidental or intentional unauthorised use of, or alteration to, information assets. Underlying the concept of access control is the need for the organisation to embrace the following control principles: • defence in depth. • separation of duties. • need to know. • dual control.
Policy System access control measures will include: • Access to organisation systems must be restricted and only authorised users are to be provided with access to information systems assets. • Owners must be designated for all systems, applications, networks and information assets. If necessary, owners can nominate owner representatives to act on their behalf. • Implementing systems security features and, if appropriate, installing additional products to support or enhance control functions. • All systems must be capable of identifying and authenticating the identity of users prior to allowing access to system resources. • Controls over sensitive programs, system functions and utilities must be implemented to prevent unauthorised use. • Implementation of controls and provision of access to systems, applications, networks and information is to be determined by their classification and the security specifications provided by each owner. • Key information that is considered critical in supporting the integrity of security systems, such as passwords, must be one-way encrypted using industry standard algorithms such as DES or RSA.
367
P. Ward and C.L. Smith Access control policies for information technology systems
Table 10: The personnel security policy
PERSONNEL SECURITY POLICY Objective To reduce the likelihood of employee related risks associated with human error, theft, fraud, or misuse of facilities.
Principle The security of information systems and data is dependent upon the integrity, reliability and expertise of the people who manage and operate them. The rapid technological advancements have created unparalleled opportunities for fraud, embezzlement, unauthorised disclosure, theft (software and hardware), and other abuses. There is often a perception that information systems security issues can be resolved simply by implementing technical solutions. This attitude is flawed as certainly technical solutions contribute to security weakness in the overall management of information asset security, but ultimately the success of any asset security program rests with the people working for the organisation. These groups include direct internal employees of the organisation and external contractors and consultants. It is therefore important that organisations implement personnel security policies that reduce the inherent risks associated with providing personnel with access to information systems.
Policy Personnel security policies related to information systems assets will include: • Security roles and responsibilities are to be defined within the job descriptions of all personnel working for the organisation. • All applications for employment involving access to sensitive systems and information should be screened to ensure validity of applicants references, curriculum vitae, academic and professional qualifications and identity. • All personnel should be provided with ongoing information asset security awareness and education. • Confidentiality agreements to be signed by all personnel working for the organisation. • All personnel have an obligation to report security related incidents such as security weaknesses, breaches of systems security and software malfunctioning. • All personnel will be subject to formal disciplinary actions in the event that they violate organisational security policies, standards and procedures. Table 11: The physical and environmental policy
PHYSICAL AND ENVIRONMENTAL SECURITY POLICY Objective To prevent unauthorised access, damage and interference to information system services. Environmental security includes the continued operation of the environment that houses the computer equipment, for example, air-conditioning and heating, and the ongoing provision of utility services, such as electrical and water supplies.
Principle Many organisations have a large investment in information systems and in the premises used to locate computer equipment. The continuity of information system services is dependent upon the continued availability and operation of this equipment. The restriction of physical access to computer facilities and equipment is an important method of control for protecting an organisations sensitive information systems and information. The objectives of physical security measures are to prevent unauthorised access, theft, loss, illicit use and accidental or intentional damage occurring to information system assets. The objective of environmental security is to ensure that computer equipment is located and protected in a way that reduces the risks from environmental hazards and disruptions to critical support services.
Policy Physical security policies related to information assets include: • The Defence in Depth principle should be applied to create layers of security perimeters around and within computer facilities.
368
P. Ward and C.L. Smith Access control policies for information technology systems
Table 11 continued...
• • • •
Restricted zones should be created around critical information assets. Entry to secure areas should be protected by installing electronic access controls, mechanical locks, and deadbolts. Security containers should be used to store sensitive information, assets and media. Access to secure areas should be monitored using security personnel, electronic intrusion detection systems, closed circuit television (CCTV) and access control systems. • A clear desk policy should be introduced to protect information from unauthorised access. Environmental security policies related to information systems assets include: • Computer communication equipment must be located in a place that is unlikely to experience natural or man-made disasters. • Computer facilities must be protected against fire and water damage, vandalism and other threats. • Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such as electricity, air conditioning and telecommunication links. • Power and telecommunication cabling should be protected from interception or damage. • Computer facilities must be protected against fire and water damage, vandalism and other threats. • Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such as electricity, air conditioning and telecommunication links. • Power and telecommunication cabling should be protected from interception or damage. Table 12: The telecommunications security policy
TELECOMMUNICATIONS SECURITY POLICY Objective To protect information whilst being transmitted through a telecommunications network and protection of the components comprising the network infrastructure.
Principle Many organisations are interfacing or connecting their existing systems to external network environments (for example, the Internet) and as such it is critical that the security issues relevant to controlling and restricting access internal systems be considered. The process of interconnecting systems to established networks, or connecting to external networks requires that entry access points be created into an organisation's systems or internal networks. It is these access points that can provide unauthorised individuals with entry paths in an organisation's IT systems. As well as the possibility of remote users accessing systems, the confidentiality and integrity of information on the network is at risk. The availability of the network can also be compromised.
Policy Telecommunications security policies include: • Communication systems features that address confidentiality, integrity and availability requirements shall be commensurate with the requirements of the application; e.g. authentication, error detection and correction, and alternate routing. • A security audit of communications shall be conducted annually to review the implementation and effectiveness of the security features and access controls to systems and data resources. • The assignment of network access privileges and control of proxy accounts and default network accounts for all network users shall be centrally controlled, authorized and documented. • Passwords and other security-related information shall be encrypted. • The transmission of all highly sensitive information must be protected by approved cryptography processes such as the DES or RSA. The transmission of other sensitive information should be protected by controlled communications measures, such as: • Dedicated circuits. • Line encryption
369
P. Ward and C.L. Smith Access control policies for information technology systems
Table 12 continued...
• • • •
External access control devices; for example, challenge/response systems, smart cards, tokens. External connections authenticated by dial-back systems. Computer communications equipment must be located in a place that is unlikely to experience natural or man-made disasters. Firewall systems and technologies must be used to isolate and secure trusted systems and networks from un-trusted systems and networks.
Table 13: The information classification policy
INFORMATION CLASSIFICATION POLICY Objective To ensure that information assets receive a level of protection that is commensurate with the business sensitivity or criticality of the information.
Principle Information assets should be classified according to their criticality to the organisation so that the appropriate levels of controls can be implemented for each set of information. By classifying information and information systems, judgements can be made in regard to the types of controls required and more importantly who should be provided with access, and the appropriate level of access. Typically classifications might include levels such as unclassified, company confidential, and company secret. It is important to understand that these classifications can have a significant role in both manual paper-based systems, as well as computer-based systems.
Policy Information classification policies include: • All information assets must have a designated owner who is responsible for classifying the information. • Information assets shall be classified according to their confidentiality, integrity, availability and business value to the organisation. Table 14: The business continuity planning policy
BUSINESS CONTINUITY PLANNING POLICY Objective To ensure plans are available to counteract or minimise the impact of interruptions to business activities caused by the unavailability of information systems.
Principle Business continuity planning is the process of implementing procedures to assure the availability of information system processing capabilities in the event of a disaster situation. This is a major issue in risk management as most organisations are so reliant on their information systems that a sustained outage could threaten the very existent of the company. It is essential that contingency plans are established and thoroughly tested for all critical business and operation support systems.
Policy Business continuity planning policies include: • Business managers must identify their critical information systems, levels of service required and the maximum period of unavailability for systems. • Business managers must assign a processing priority to information systems for the purpose of determining backup and recovery processing requirements. • Continuity plans must be developed, documented and maintained to ensure that business units can continue to operate during and following disaster situations.
370
P. Ward and C.L. Smith Access control policies for information technology systems
References
8. Lodin, S. (1999). Intrusion detection product evaluation criteria. Computer Security Journal, 15(2), 1-10.
1. Caelli W., Longley D. and Shain M. Information Security Handbook, Macmillan Press Ltd: New York, 1994.
9. Devargas, M. The Total Quality Management Approach to IT Security, NCC Blackwell, 1995.
2. Bayuk, J.L. (2001). Security metrics: How to justify security dollars and what to spend them on. Computer Security Journal, 17(1), 1-12.
10. Garcia, M.L (2001XXX). YYY TTT OO PPP Boston: Butterworth-Heinemann.
3. Magklaras, G.B. and Furnell, S.M. (2002). Insider threat prediction tool: Evaluating the probability of IT misuse. Computers & Security, 21(1), 62-73. 4. Cheswick W. and Bellovin S. Firewalls an Internet Security Repelling the Wily Hacker, Reading: Addison-Wesley, 1995. 5. Stoll C. The Cuckoo's Egg. London: The Bodley Head Ltd., 1989.
11. Greenwald, J. A Blown Billion: Daiwa Bank's rogue employee allegedly made 30,000 illicit trades. Why didn't anybody notice? Time Magazine, 146 (15), 1995. 12. Pfleeger C. Security in Computing, New Jersey: Prentice Hall, 1989. 13. Keen P.G.W. Dear CEO: Welcome to 2001; See you in court. Computer World, 1997.
6. Flohr U. Bank Robbers Go Electronic, Byte, http://www.byte.com/art/9511/ sec3/art11.htm., 1995.
14. Herold, R. (2000). How to develop and communicate company privacy policies. Computer Security Journal, 16(2), 1-10.
7. Gaudin, S. (20000. Case study of insider sabotage: The tim Lloyd/Omega case. Computer Security Journal, 16(3), 1-9.
15. Brace, R.B. Intrusion Detection. Macmillan Technical Publishing, Technical series, IN, 2000: Chapter 5.
371
Abstract
Introduction
The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.
Security theories determine the types of security controls that are appropriate for the protection of the information assets of an organisation, and these controls in turn will be reflected in the policies that are developed to implement these strategies. The approaches to the development of the access control policies will generally depend upon on strategies that have been developed in physical security and business contingency management.
Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systems This investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems. Computers & Security Vol 21, No 4, pp356-371, 2002 Copyright ©2002 Elsevier Science Ltd Printed in Great Britain All rights reserved 0167-4048/02US$22.00
356
Keywords: Access control, IT policies, distributed systems, security policies, access control policies.
Prior to the 1980s, many organisations operated large centralised computing environments that were centrally managed, and from a security perspective were relatively easy to control [1]. The majority of organisations relied on physical security measures to protect their computer processing installations, and the communication environments were simple proprietary-wide area networks (WANs) that generally did not provide external access to other networked environments. Security control mechanisms were also easier to implement as system originators such as IBM recognised the need to implement specific security control points within their operating systems to cater for their customer requirements for more effective security and access controls. In fact, IBM introduced the System Authorization Facility (SAF) as a component of their major mainframe operating system, MVS. This facility was used to provide a focal point for security authorisations within the MVS operating system. The need to control access to the operating systems was well recognised, and has resulted in mature security product developments such as RACF and ACF2 in the MVS world. These security solutions are able to
P. Ward and C.L. Smith Access control policies for information technology systems
integrate with other system utilities and business application solutions to implement secure, centralised access controls over system and network access within the mainframe environment. During the 1980s and 1990s there has been a significant shift away from centralised mainframe systems to more distributed computing environments incorporating: • Personal Computer (PC) systems. • Local Area Networks (LANs) and Wide Area Networks (WANs). • Distributed and disparate systems. • Proprietary and non-proprietary networking protocols. • Interconnection of disparate network environments. This shift towards distributed environments also resulted in a number of inherent security risks in the systems such as: • Use of insecure operating systems such as MS-DOS and early versions of UNIX. • Inadequate or nonexistent installation of network and operating system security controls. • Lack of understanding or awareness of security exposures associated with new and developing technologies. • Lack of security policies covering the security management of the new distributed system environments. Although these security risks existed, many organisations recognised the tremendous advantages that the new distributed technologies provided, and moved their critical business application processing from the centralised mainframe environments to distributed network environments. In recent times, the capability to conduct effective systems management activities [2], including
maintaining security access controls, across organisations distributed enterprise systems has raised concerns. System software vendors have recognised both the need and the enormous market potential, and are now developing products that allow companies to implement enterprise security solutions [3]. The dynamic evolutionary nature of computing developments requires that security policies be continually developed to address the significant changes that are constantly occurring. For example, the advent of the Internet has forced businesses to connect their previously isolated systems to the Internet in an effort to gain a competitive advantage, or meet competitor challenges. Many of the systems connected to the Internet have not addressed, or have not been capable of addressing, access control security appropriately [4]. As a result many organisations have had their systems accessed by unauthorised individuals to the detriment of the organisation [5, 6]. It is important to understand that in many distributed environments, organisations shifted responsibility for systems and security management from the centralised IT department to the individual business units. The security access control policies developed for the IT department were not, in many cases, binding on the business units and this practice could have resulted in inconsistencies on the levels of controls implemented on systems across the enterprise.
Clifton L Smith Dr Clifton Smith is the Associate Professor, Security Science in the School of Engineering and Mathematics, Edith Cowan University, Perth, Western Australia. Professor Smith conducts research in IT security, biometric imaging, and security education, and he has developed the professional security programmes of Bachelor of Science (Security), Master of Science (Security Science), and Doctor of Philosophy (Security Science). Peter Ward Mr Peter Ward is a graduate of the Bachelor of Science (Security) course at Edith Cowan University, Perth, Western Australia. Mr Ward is an IT security consultant in the financial and banking industry, specialising in the development of policy for access control of propriety information.
The inconsistent implementation of security management controls is considered a major risk in today’s networked environments. This has become a significant issue, as there is no benefit in installing sophisticated access controls on one system to create a “trusted environment” when those controls can be simply bypassed by an unauthorised user gaining access to that “trusted environment” through a gateway connected system which has inadequate controls installed.
357
P. Ward and C.L. Smith Access control policies for information technology systems
What is clear, however, is that every network and system access point that provides connectivity with external network environments can be used to gain unauthorised access to company systems and information. Development of access control policies to protect all systems is essential in implementing effective internal control processes consistently across all systems.
IT Security Issues The issue of security is one that can be easily misconstrued by both management and staff alike. As with most facets of management activity, implementation of controls on information systems is not a technical problem but a people problem, as individuals with sufficient motive and desire can, and will, find ways to circumvent technical control mechanisms [7][8].
Why information systems security? It is important to understand what information systems security means and how it affects the organisation and people. The Macquarie Dictionary provides a general broad description of ‘freedom from danger, risk, etc.; safety: something that secures or makes safe; a protection; a defence’; while Devargas [9] declares ‘the protection of information assets from accidental or malicious unauthorized disclosure, modification, or destruction, or the inability to process that information is necessary for a secure system’. Most current organisations are dependent on computing systems to provide them with the quality information necessary to conduct their business operations and decision-making activities. It is appropriate that computing resources and information be viewed as critical assets and, as is the case with other critical assets, they should also be afforded appropriate risk control strategies.
358
The implementation of logical access controls on computer systems is considered an integral component in the protection of systems and information. However, it is not appropriate to install controls in isolation, without first identifying what approaches should be adopted in regard to security across the enterprise. These approaches should be embraced within the organisation’s overall business risk management strategies and defined in security policies that detail executive management directions on the relevant control issues.
Perceptions While physical access controls such as locks, access keys and CCTV systems are more evident, computer security access control systems are not well understood by people. Personnel are often unaware of security policies and standards that relate to information systems as computer security training is lacking. Many managers are inwardly focused and consider that security can disrupt their operations. Often they may not identify with the objectives of access controls, while staff may consider that access controls are designed for surveillance, and ensure that they are working properly. In some instances, these perceptions may be sufficiently strong that the effectiveness of security mechanisms are deliberately bypassed or diminished by people; through sharing their system logons and passwords, or writing their passwords down and placing them within easy reach of others. The personnel of the organisation must be aware of their responsibilities for security, as the success of an information system security program is dependant on gaining the commitment of all staff. It is the implementation of controls, whether automated or manual, that reduces the likelihood of disruptions to information systems to: • maximise the availability of systems and information;
P. Ward and C.L. Smith Access control policies for information technology systems
• provide assurance that the integrity of systems, processing and information is maintained; and • ensure that the confidentiality of information is preserved. The development and dissemination of information systems access control policies is the first step in providing an understanding of the need for security and the strategies for protection. The IT security policies also provide the basis for displaying executive management commitment to IT security.
Risk Management The protection of computer systems, computer applications and the information residing on these systems should be embraced within an organisation’s overall business risk management strategies. Information must be considered as a critical asset and as such it is important that the threats to those assets be carefully identified and measures implemented to negate or significantly reduce the impact of those threats should they materialize. The implementation of protective measures over company assets should never be an arbitrary process, but one that takes into account the value of assets and their criticality to organisational success. By applying risk management techniques to information assets, an organisation can conduct analysis to identify threats and the appropriate countermeasures that provide a level of protection that is commensurate with the level of risk.
Defence in Depth The Defence in Depth principle has been derived from physical security, and can be implemented in application to information systems security. The DinD principle embraces the following functions: Deterrence — any action that discourages unauthorised users from accessing information systems through fear.
Detection — actions that recognize unauthorised access or violations of access privileges on information systems, and includes the capability to trace authorised access. Delay — actions that impede the progress of unauthorised users and reduces the amount of damage that occurs if unauthorised access is successful. Response — actions necessary to trace intruders or investigate breaches of security controls, and minimize potential damage to systems after detection. The Defence in Depth principle is based on a succession of barriers that includes the outer and inner perimeters of systems, the network access points, the capability to logon to the system and business applications, use of operating system privileged functions, and access to the data resident on the system. Security policies provide direction on how access controls should be installed on information systems across the organisation [10].
Separation of Duties The principle of separation of duties is concerned with ensuring that the formal responsibilities and activities of personnel are defined so that appropriate checks and balances are in place to ensure that no one person is in a position to commit fraudulent or unauthorised activity. This principle is particularly important in respect to access on information systems since the capability to commit fraudulent or unauthorised activities in online systems can result in significant losses. In this context it is essential that the functional roles of individuals be segregated so that a person is not capable of completing a given set of transactions without proper approval mechanisms. In effect, for a fraud to be committed it would be necessary for collusion to occur between two or more individuals. Although this principle is
359
P. Ward and C.L. Smith Access control policies for information technology systems
considered to be a fundamental internal control mechanism, it is often neglected by organisations and can have significant and disastrous ramifications for the business. The Barings Bank in Singapore and the Japanese Daiwa Bank financial losses were examples of neglect of the separation of duties principle [11].
Need to Know The need to know principle relates to the necessity to provide access to systems and information based on their defined role or job function within the organisation, and provides personnel with access to perform their specific and normal work activities. The need to know principle complements the separation of duties principle. For this principle to be effective, it is essential that the responsibilities of each role and individual access requirements are clearly defined. Higher security controls and restrictions should be applied to more sensitive system function capabilities and information. It is not appropriate to provide access simply because of a person’s status or seniority within the hierarchy of the company [12].
Dual Control Dual control involves separating or splitting functions with information so that individuals do not have the capability of complete sensitive transactions or have access to information which would allow them commit fraudulent activities. Examples of dual control for information systems are: • The process of moving new or modified programs into a live production system should only be performed when a minimum of two authorisations has been provided. • The keys used for encrypting information, for example, bank customer’s ATM card Personal Identification Numbers (PINs), should always be split between two
360
individuals. If a key was held by one individual, then that person would have sufficient information to decrypt the sensitive PIN information, create duplicate ATM cards, use the cards and valid decrypted PINs to access the accounts of customers.
Accountability The consequences for Chief Executive Officers (CEOs) who fail to manage areas of risks that result in significant losses could well be future litigation. Nowhere is this more evident than the current debate on the issues related to corporate management responsibilities in regard to the Year 2000 (Y2K) so-called Millennium bug. The issue for CEOs is most excellently summed up by Keen [13]: “CEOs won’t be able to plead that they weren’t informed of the issue; ignorance won’t be a plausible defense. They will have to show that, once informed, they personally acted as leaders in a business crisis: that they sanctioned the full, needed investment for the technical work, ordered an in-depth business risk assessment (economic, safety, organizational, supply chain, contract performance and the like) and put in place a contingency plan to handle any crisis created by the year 2000 fallout. The minutes of their top management meetings and boards of directors meetings will be scrutinized for evidence of the attention they paid and the progress reports they routinely got.” Although lacking the high profile of the Y2K problem, it is equally incumbent on executive management to manage and mitigate the security risks associated with the use of information systems to protect the computer processing capabilities and sensitive information of the organisation.
Risk Management and Internal Control Methodologies In addition to corporate governance requirements, there is now consistent evidence
P. Ward and C.L. Smith Access control policies for information technology systems
that organisations are being driven towards a focus on risk management through existing and evolving internal control strategies and standards which are part of the normal processes associated with conducting business. In the past companies placed a heavy reliance on the work of auditors as a risk control strategy. In the 1980s and 1990s there have been numerous examples of high profile corporate failures. As a result there has been much study, and a realisation that for risk management strategies to be effective they must be implemented as internal controls within an organisation’s daily business activities. The following two internal control frameworks are being adopted and implemented by organisations worldwide. They also provide emphasis on the need for policy development and access control activities required to protect the integrity of internal information systems: • Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control - Integrated Framework In the USA in 1987, a group of leading accounting and finance bodies formed the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The commission was formed to investigate causal factors behind fraudulent financial reporting and a spate of spectacular control failures in the USA. A major objective of the committee was to assist public companies improve their systems for controlling risk. The COSO report’s thrust is that of the integration of controls into business processes, then fewer controls were necessary. The report included specific references to common processes involved in information systems risk management methodologies such as the inherent need to manage business risks. • Control Objectives for Information and Related Technology (CobiT)
CobiT was developed by the Information Systems Audit and Control Association (ISACA) to provide organisations with a comprehensive framework of generally applicable IS security control practices for information technology. It is designed to provide more focus on aligning IT control objectives with the business processes of an organisation and will allow management to benchmark its control environment to standards of policy and good practices implemented worldwide. The development of CobiT is such that it embraces many of the concepts of the COSO report and other related IS auditing and accounting control standards. CobiT has been an internationally developed framework that has called upon specialists across ISACA chapters primarily in the USA and Europe.
Access Control Policies Most organisations are dependent on computing systems to provide them with the quality information necessary to conduct their business operations and decision-making activities. These information systems and the information contained within them are often critical to the ongoing success and viability of a company. As with other critical assets, they should be afforded risk control strategies to ensure that all information system resources are provided with an appropriate level of protection [14]. As security is a management problem and not a technical problem, it is important that management provides and displays commitment to the issue [12]. Policies contribute to the overall management of information security by providing clear statements on the approaches to be taken in key areas to ensure protection of information assets. Policies are important in that they provide direction and define rules on how an organisation wishes to operate. Without access control policies to provide direction, it is
361
P. Ward and C.L. Smith Access control policies for information technology systems
likely that the protection provided for information assets would be inadequate and inconsistent. This deficiency could expose the organisation to new threats and vulnerabilities that could result in the confidentiality, integrity and availability of information systems being compromised [15]. The purpose of the policies developed in this study was to define and document the guiding principles by which all business units within an organisation are required to comply, in controlling access to information systems assets. However, the extent of policy implementation is determined by the size and complexity of the organisation, where each policy is supported and approved by the Executive Management and the Board of Directors. Policies should be aligned to the specific needs of each organisation and define generic security requirements for all computing environment assets within the organisation, including: • personnel involved in information systems activities • hardware including mainframe, mini and personal computer systems, computer peripheral devices and all telecommunication and network components • software including the operating systems, utilities, system support products, application delivery systems, database management systems and application programs. • data including information that is stored in, or processed by systems or communicated through network environments
Objectives The development of objectives for the security of IT in an organisation is crucial as the information assets must be protected. The major objectives of security policies are to:
362
• Provide direction and understanding on the need for information systems asset security and provide detail for senior management support. • Define the roles and responsibilities associated with the management of information systems security. • Recommend baseline security standards and controls for information systems access. • Assist the organisation to implement consistent controls throughout the enterprise. • Formalise and document security control requirements to aid in the internal and external review on the adequacy of planned or implemented protection systems and methodologies.
Security Solution Directions Corporate information system architectures have altered considerably in the last 10 years. During the 1980s and 1990s, there was a significant shift away from centralised mainframe systems to more distributed computing environments using: • Personal Computer (PC) systems. • Local Area Networks (LANs) and Wide Area Networks (WANs). • Distributed and disparate systems. • Proprietary and non-proprietary networking protocols. • Interconnection of disparate network environments. Unfortunately these system architectures introduced inherent security risks and until recently there were no effective security management solutions available. In the past, security-aware organisations implemented controls on their isolated systems using either base operating system security
P. Ward and C.L. Smith Access control policies for information technology systems
functions or implementing security software solutions. These approaches can be referred to as point solutions as generally they were confined to the one system architecture or environment. For example in the MVS environment, RACF, ACF2 and TOP-SECRET were used; for the TANDEM Guardian operating system security then TANDEM’s SAFEGUARD product was utilized; for AS/400 the OS/400 operating system security was adopted; for WINDOWS/NT the operating system security software was employed. The difficulty and complexity of managing security for these environments was further complicated when considering the need to provide effective security over other products installed on systems, such as relational database management systems, and the business applications themselves. Clearly, the use of distributed network environments using disparate system platforms represents a significant issue for those organisations concerned about the security of their information systems. More recently a number of software vendors such as Computer Associates (CA) with CAUnicenter and Tivoli Systems with TME 10 have developed products that provide centralised integrated security solutions for information system architectures that comprise distributed computing environments using disparate systems. These products offer enhanced benefits in providing the mechanisms by which consistent security policies can be centrally implemented for distributed enterprise-wide information systems.
An Implementation Strategy Because the security policies drive the lower level security activities associated with actual implementation of control measures, the processes of developing, approving and disseminating policies is both a demanding and resource-intensive activity, and should be allowed for when developing detailed project
management plans. The following stratgeic plan indicaties the stages required for the implementation of security policies within an organisation: • Phase 1 - Project Initiation: The Table 1: Information security responsibilities
INFORMATION SECURITY RESPONSIBILITIES Objective Define roles and responsibilities associated with effectively managing information systems security within the organisation.
Principle All employees within the organisation have an obligation to adhere to information security policies. However, there are varying levels of responsibilities for each individual depending upon their role within the organisation and the designated activities associated with the performance of their position. The processes required to support the implementation of security policies, standards and procedures call for specific roles and responsibilities to be defined for all people involved in the development, implementation and use of information systems. The security roles and responsibilities that apply are: • Management • Information asset owner • Information asset owner representative • User • Information systems (IS) service provider Table 2: The roles and responsibilities for management
MANAGEMENT ROLES AND RESPONSIBILITIES Individuals who have been appointed to management positions are required to take a leadership role in regard to protecting assets of the organisation. These managers are responsible for: • Identifying information assets for which they are accountable and defining protection requirements. • Authoring use of information assets. • Assigning ownership authority for specific information assets. • Ensuring that control policies and procedures are implemented and maintained. • Ensuring personnel under their control are educated and aware of the need for, and apply, information asset protection policies, standards and procedures. • Responding immediately to occurrences involving breaches of security or implementing corrective action to resolve identified information asset security exposures. • Conducting security compliance self assessments. • Approving system, application, network and information security control plans and risk assessment/acceptance reports. • Ensuring business continuity and contingency plans are developed, implemented and tested for critical information systems, applications and networks.
363
P. Ward and C.L. Smith Access control policies for information technology systems
appointment of a project team and steering committee comprising manager representatives is necessary.
• Phase 2 - Security Policy Development: The development of security policies in detail, according to a theory or set of principles, to protect the assets of the
Table 3: The roles and responsibilities for the information asset owner
INFORMATION ASSET OWNER ROLES AND RESPONSIBILITIES The information asset owner is a manager or management representative authorised to make and communicate judgements and decisions regarding the identification, classification and protection of information assets for which they are accountable. The Information asset owners are responsible for: • Assessing the asset's value and importance. • Classifying assets and specifying the appropriate security control requirements. • Ensuring that effective and efficient information asset protection measures are implemented to control access and meet specified requirements. • Authorising access and assigning custody of information assets. • Conducting periodical reviews of classification and control decisions. • Participating in risk assessment and risk acceptance of information assets. • Identifying security exposures, asset misuse or non-compliance with policies and advising. management as soon as an occurrence is recognised. Table 4: The roles and responsibilities for the information asset owner representative
INFORMATION ASSET OWNER REPRESENTATIVE ROLES AND RESPONSIBILITIES Information asset owner representatives are managers or management representatives appointed by an owner to communicate decisions regarding asset protection requirements and authorisation of access requests on behalf of the owner. Owner representatives are defined to provide owners with the capability to delegate a sub-set of responsibilities to others who may be better placed to perform the relevant activities. Delegation does not abrogate the owner's responsibilities to ensure that information assets under their control are properly protected. Information asset owner representatives are responsible for: • authorising access and assigning custody of information assets. • specifying the appropriate security control requirements. • identifying security exposures, asset misuse or non-compliance with policies and advising management as soon as an occurrence is recognised. Table 5: The roles and responsibilities for the user
USER ROLES AND RESPONSIBILITIES A user is any person or organisation using the organisation's information system asset resources. Users are responsible for: • Complying with information asset security, policies, standards and procedures. • Using information assets only when authorised and only for approved purposes. • Ensuring that the use of individual system logon identifiers and passwords are not shared with other people. Passwords should meet access policy requirements and never be disclosed to any other person. • Ensuring that they use control functions and capabilities effectively. • identifying security exposures, asset misuse or non-compliance with policies and advising management as soon as an occurrence is recognised.
364
P. Ward and C.L. Smith Access control policies for information technology systems
organisation. This will involve consultation with interested and affected parties, so that negotiation may be necessary to defend the policy objectives. • Phase 3 - Consultation and Approval Process: Consultation with management representatives for approval of policies from Board of Directors is crucial for the success of the security strategy. • Phase 4 - Security awareness and policy education: Security awareness training and policy education sessions should be conducted with all affected groups and departments in the organisation. • Phase 5 - Disseminate Policies: The dissemination of the developed policies through the organisation is essential for effective impact.
Development of Policies A set of IT security policies have been developed to indicate the appropriate approach for comprehensive protection of the information assets of the organisation.
The policies have been categorised according to function in the asset protection strategy.
Information Security Responsibilities The personnel and organisations responsible for information security have been determined to be management, the information asset owner, the information asset owner representative, the user, and the information systems service provider. The Table 1 describes the objective and principle of information security responsibilities.
Roles and Responsibilities The follow information systems security roles and responsibilities apply to management, the information asset owner, the information asset owner representative, the user, and the information systems service provider. The Table 2 describes the roles and responsibilities for management, Table 3 for the information asset owner, Table 4 for the information asset owner representative, Table 5 for the user, and Table 6 for the information systems service provider. Information security policies have been developed for the following personnel and
Table 6: The roles and responsibilities for the information systems service provider
INFORMATION SYSTEMS SERVICE PROVIDER ROLES AND RESPONSIBILITIES The IS service providers are suppliers of information asset services to support the business functions of the organisation. An IS service provider for information asset security is responsible for: • Identifying information asset security control solutions, defining system security architectures and providing strategic directions on security developments. • Communicating control processes, procedures and restrictions that are applicable to the system environments of owners and users. • Providing and administering owner-specified information asset security and access controls for information assets. • Ensuring that owners are advised of any planned changes to the system environment or security product solutions that may affect the security of assets under their control. • Ensuring that physical and procedural controls of information assets are enforced. • Providing for timely detection and effective response to any violation of implemented information asset security controls. • Identifying security exposures, asset misuse or non-compliance with policies and advising owners and management as soon as an occurrence is recognised.
365
P. Ward and C.L. Smith Access control policies for information technology systems
organisations in information assets protection: the management accountability policy (Table 7), the information systems security policy (Table 8), the system access control policy (Table 9), the personnel security policy (Table 10), the physical and environmental policy (Table 11), the telecommunications security policy (Table 12), the information classification policy (Table 13), and the business continuity planning policy (Table 14). The policies are intended to be indicative of requirements for the protection of IS assets in an organisation.
Conclusion The protection of the IT assets of an organisation is crucial for the maintenance of business continuity. The development of appropriate security policies to guide the implementation of security for the protection of assets is an important phase of the risk management strategy. These policies for the protection of IT assets of the organisation should be communicated to all personnel. In particular, the business areas should accept ownership of their systems, provide commitment to the development of policies and encourage and insist that control mechanisms be established to protect their critical IS assets and resources.
Table 7: The management accountability policy
MANAGEMENT ACCOUNTABILITY POLICY Objective To define managerial accountability and responsibilities in regard to information asset protection
Principle Organisations should identify and protect all assets that are critical to their operations. Physical assets, relevant physical access control measures, and replacement costs are readily identifiable. However, the value of the processes associated with information systems is more difficult to determine. Management is responsible for the protection of company assets, and should develop policies that ensure this outcome.
Policy Management, at all levels within the organisation, has a fundamental responsibility to protect company assets. This includes the personnel, financial, hardware, software and data assets for which they are accountable. Managers are responsible for: • identifying critical business assets for which they are accountable and ensuring controls are implemented to provide an appropriate level of protection. • implementing secure systems, processing and procedures that adhere to information systems security policies. • ensuring that all personnel are aware, and understand the need to protect company assets, including information. • recognising existing security measures ensuring that do not provide the adequate levels of control or do not meet defined policy objectives and, where appropriate, undertaking corrective actions. • reporting of information systems security exposures, misuse or non-compliance to senior management to ensure that organisational, policy, technical or procedural changes can be implemented to address the relevant issue.
366
P. Ward and C.L. Smith Access control policies for information technology systems
Table 8: The information systems security policy
INFORMATION SYSTEMS (IS) SECURITY POLICY Objective To provide management direction, commitment and support for information systems security within the organisation.
Principle All information stored, processed by, or communicated through information systems has a value to the organisation. Much of this information represents critical data required by the organisation to conduct the business and business support activities associated with maintaining the ongoing viability and success of the company. Information and information systems must be viewed as critical assets that should be protected to: • maximise the availability of systems and information. • provide assurance that the integrity of systems, processing and information is maintained. • ensure that the confidentiality of information is preserved. The Information Systems (IS) Security Policy defines executive management's high commitment to the direction on the organisation's approach to information systems security.
Policy Information is a valuable corporate asset, and as such, steps shall be taken to protect it from unauthorised modification, destruction, or disclosure whether accidental or intentional. Information assets will be subject to risk assessment, and control measures will take into account the organisation's legislative and corporate regulatory obligations, customer expectations and business requirements. The cost of such protection should be commensurate with the value of the information and the probability of the occurrence of a threat. Table 9: The system access control policy
SYSTEM ACCESS CONTROL POLICY Objective To control access to the organisation's systems, applications, networks and information systems assets.
Principle The implementation of protection measures provides an organisation with the capability to restrict the accidental or intentional unauthorised use of, or alteration to, information assets. Underlying the concept of access control is the need for the organisation to embrace the following control principles: • defence in depth. • separation of duties. • need to know. • dual control.
Policy System access control measures will include: • Access to organisation systems must be restricted and only authorised users are to be provided with access to information systems assets. • Owners must be designated for all systems, applications, networks and information assets. If necessary, owners can nominate owner representatives to act on their behalf. • Implementing systems security features and, if appropriate, installing additional products to support or enhance control functions. • All systems must be capable of identifying and authenticating the identity of users prior to allowing access to system resources. • Controls over sensitive programs, system functions and utilities must be implemented to prevent unauthorised use. • Implementation of controls and provision of access to systems, applications, networks and information is to be determined by their classification and the security specifications provided by each owner. • Key information that is considered critical in supporting the integrity of security systems, such as passwords, must be one-way encrypted using industry standard algorithms such as DES or RSA.
367
P. Ward and C.L. Smith Access control policies for information technology systems
Table 10: The personnel security policy
PERSONNEL SECURITY POLICY Objective To reduce the likelihood of employee related risks associated with human error, theft, fraud, or misuse of facilities.
Principle The security of information systems and data is dependent upon the integrity, reliability and expertise of the people who manage and operate them. The rapid technological advancements have created unparalleled opportunities for fraud, embezzlement, unauthorised disclosure, theft (software and hardware), and other abuses. There is often a perception that information systems security issues can be resolved simply by implementing technical solutions. This attitude is flawed as certainly technical solutions contribute to security weakness in the overall management of information asset security, but ultimately the success of any asset security program rests with the people working for the organisation. These groups include direct internal employees of the organisation and external contractors and consultants. It is therefore important that organisations implement personnel security policies that reduce the inherent risks associated with providing personnel with access to information systems.
Policy Personnel security policies related to information systems assets will include: • Security roles and responsibilities are to be defined within the job descriptions of all personnel working for the organisation. • All applications for employment involving access to sensitive systems and information should be screened to ensure validity of applicants references, curriculum vitae, academic and professional qualifications and identity. • All personnel should be provided with ongoing information asset security awareness and education. • Confidentiality agreements to be signed by all personnel working for the organisation. • All personnel have an obligation to report security related incidents such as security weaknesses, breaches of systems security and software malfunctioning. • All personnel will be subject to formal disciplinary actions in the event that they violate organisational security policies, standards and procedures. Table 11: The physical and environmental policy
PHYSICAL AND ENVIRONMENTAL SECURITY POLICY Objective To prevent unauthorised access, damage and interference to information system services. Environmental security includes the continued operation of the environment that houses the computer equipment, for example, air-conditioning and heating, and the ongoing provision of utility services, such as electrical and water supplies.
Principle Many organisations have a large investment in information systems and in the premises used to locate computer equipment. The continuity of information system services is dependent upon the continued availability and operation of this equipment. The restriction of physical access to computer facilities and equipment is an important method of control for protecting an organisations sensitive information systems and information. The objectives of physical security measures are to prevent unauthorised access, theft, loss, illicit use and accidental or intentional damage occurring to information system assets. The objective of environmental security is to ensure that computer equipment is located and protected in a way that reduces the risks from environmental hazards and disruptions to critical support services.
Policy Physical security policies related to information assets include: • The Defence in Depth principle should be applied to create layers of security perimeters around and within computer facilities.
368
P. Ward and C.L. Smith Access control policies for information technology systems
Table 11 continued...
• • • •
Restricted zones should be created around critical information assets. Entry to secure areas should be protected by installing electronic access controls, mechanical locks, and deadbolts. Security containers should be used to store sensitive information, assets and media. Access to secure areas should be monitored using security personnel, electronic intrusion detection systems, closed circuit television (CCTV) and access control systems. • A clear desk policy should be introduced to protect information from unauthorised access. Environmental security policies related to information systems assets include: • Computer communication equipment must be located in a place that is unlikely to experience natural or man-made disasters. • Computer facilities must be protected against fire and water damage, vandalism and other threats. • Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such as electricity, air conditioning and telecommunication links. • Power and telecommunication cabling should be protected from interception or damage. • Computer facilities must be protected against fire and water damage, vandalism and other threats. • Where appropriate contingencies should be made to ensure that no single point of failure exists in service or utility supplies, such as electricity, air conditioning and telecommunication links. • Power and telecommunication cabling should be protected from interception or damage. Table 12: The telecommunications security policy
TELECOMMUNICATIONS SECURITY POLICY Objective To protect information whilst being transmitted through a telecommunications network and protection of the components comprising the network infrastructure.
Principle Many organisations are interfacing or connecting their existing systems to external network environments (for example, the Internet) and as such it is critical that the security issues relevant to controlling and restricting access internal systems be considered. The process of interconnecting systems to established networks, or connecting to external networks requires that entry access points be created into an organisation's systems or internal networks. It is these access points that can provide unauthorised individuals with entry paths in an organisation's IT systems. As well as the possibility of remote users accessing systems, the confidentiality and integrity of information on the network is at risk. The availability of the network can also be compromised.
Policy Telecommunications security policies include: • Communication systems features that address confidentiality, integrity and availability requirements shall be commensurate with the requirements of the application; e.g. authentication, error detection and correction, and alternate routing. • A security audit of communications shall be conducted annually to review the implementation and effectiveness of the security features and access controls to systems and data resources. • The assignment of network access privileges and control of proxy accounts and default network accounts for all network users shall be centrally controlled, authorized and documented. • Passwords and other security-related information shall be encrypted. • The transmission of all highly sensitive information must be protected by approved cryptography processes such as the DES or RSA. The transmission of other sensitive information should be protected by controlled communications measures, such as: • Dedicated circuits. • Line encryption
369
P. Ward and C.L. Smith Access control policies for information technology systems
Table 12 continued...
• • • •
External access control devices; for example, challenge/response systems, smart cards, tokens. External connections authenticated by dial-back systems. Computer communications equipment must be located in a place that is unlikely to experience natural or man-made disasters. Firewall systems and technologies must be used to isolate and secure trusted systems and networks from un-trusted systems and networks.
Table 13: The information classification policy
INFORMATION CLASSIFICATION POLICY Objective To ensure that information assets receive a level of protection that is commensurate with the business sensitivity or criticality of the information.
Principle Information assets should be classified according to their criticality to the organisation so that the appropriate levels of controls can be implemented for each set of information. By classifying information and information systems, judgements can be made in regard to the types of controls required and more importantly who should be provided with access, and the appropriate level of access. Typically classifications might include levels such as unclassified, company confidential, and company secret. It is important to understand that these classifications can have a significant role in both manual paper-based systems, as well as computer-based systems.
Policy Information classification policies include: • All information assets must have a designated owner who is responsible for classifying the information. • Information assets shall be classified according to their confidentiality, integrity, availability and business value to the organisation. Table 14: The business continuity planning policy
BUSINESS CONTINUITY PLANNING POLICY Objective To ensure plans are available to counteract or minimise the impact of interruptions to business activities caused by the unavailability of information systems.
Principle Business continuity planning is the process of implementing procedures to assure the availability of information system processing capabilities in the event of a disaster situation. This is a major issue in risk management as most organisations are so reliant on their information systems that a sustained outage could threaten the very existent of the company. It is essential that contingency plans are established and thoroughly tested for all critical business and operation support systems.
Policy Business continuity planning policies include: • Business managers must identify their critical information systems, levels of service required and the maximum period of unavailability for systems. • Business managers must assign a processing priority to information systems for the purpose of determining backup and recovery processing requirements. • Continuity plans must be developed, documented and maintained to ensure that business units can continue to operate during and following disaster situations.
370
P. Ward and C.L. Smith Access control policies for information technology systems
References
8. Lodin, S. (1999). Intrusion detection product evaluation criteria. Computer Security Journal, 15(2), 1-10.
1. Caelli W., Longley D. and Shain M. Information Security Handbook, Macmillan Press Ltd: New York, 1994.
9. Devargas, M. The Total Quality Management Approach to IT Security, NCC Blackwell, 1995.
2. Bayuk, J.L. (2001). Security metrics: How to justify security dollars and what to spend them on. Computer Security Journal, 17(1), 1-12.
10. Garcia, M.L (2001XXX). YYY TTT OO PPP Boston: Butterworth-Heinemann.
3. Magklaras, G.B. and Furnell, S.M. (2002). Insider threat prediction tool: Evaluating the probability of IT misuse. Computers & Security, 21(1), 62-73. 4. Cheswick W. and Bellovin S. Firewalls an Internet Security Repelling the Wily Hacker, Reading: Addison-Wesley, 1995. 5. Stoll C. The Cuckoo's Egg. London: The Bodley Head Ltd., 1989.
11. Greenwald, J. A Blown Billion: Daiwa Bank's rogue employee allegedly made 30,000 illicit trades. Why didn't anybody notice? Time Magazine, 146 (15), 1995. 12. Pfleeger C. Security in Computing, New Jersey: Prentice Hall, 1989. 13. Keen P.G.W. Dear CEO: Welcome to 2001; See you in court. Computer World, 1997.
6. Flohr U. Bank Robbers Go Electronic, Byte, http://www.byte.com/art/9511/ sec3/art11.htm., 1995.
14. Herold, R. (2000). How to develop and communicate company privacy policies. Computer Security Journal, 16(2), 1-10.
7. Gaudin, S. (20000. Case study of insider sabotage: The tim Lloyd/Omega case. Computer Security Journal, 16(3), 1-9.
15. Brace, R.B. Intrusion Detection. Macmillan Technical Publishing, Technical series, IN, 2000: Chapter 5.
371