Access Control and Access Control Systems | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

The ISSO determined that the access control and access control systems ranked as a high priority in establishing processes for the control of access to systems, as well as the access to the information stored, processed, and transmitted by those systems. Therefore, access controls were divided into two sections (see Figures 8.3 and 8.4):

Access to systems; and
Access to the information on the systems.

click to expand
Figure 8.3: A baseline approach to information systems access control at IWC.

click to expand
Figure 8.4: A baseline approach to information systems access control at IWC.

The ISSO reasoned that each department created and used the IWC systems and its information. Therefore, they should be responsible for controlling access to those systems and information.

The major systems such as IWC's wide-area network were owned and operated by the IT Department, while individual systems and LANs were owned and operated by the individual departments.

As part of the CIAPP, the IWC, in coordination with other departments' managers, established a process for all IWC employees who required access to the systems to perform their job functions. Such employees would have to obtain system access approval from their manager and from the manager or designated representative of that system and/or information owner, such as for financial database access. The owners' approval was based on a justified need-for-access as stated by the employee's manager. If the system and/or information owners agreed, access was granted.

The ISSO had found, during the initial evaluation of the InfoSec of IWC, that departments had logically grouped their information into categories. They had done so to control access to their own files. This made it easy for the ISSO, because the managers of the departments agreed that once access to systems was granted by the system owners, access to the information on those systems should be approved by the owners of those groups of files, databases, etc.

Thus, the access control process included a justification by an employee's manager stating not only what systems and why they needed access to them, but also what information they required access to in order to perform their jobs.

For the most part, this was an easy and logical process. For example, in the Accounting Department, personnel generally had access to the groups of files and databases based on their job functions—accounts payable, accounts receivable, etc.

This access control process helped maintain an audit trail of who approved access to whom, and for what purposes. It also helped provide a separation of functions that are a vital component of any InfoSec program. For example, an accounts payable person should not also be the accounts receivable person and the invoice processing person. Such a system would allow one person too much control over a process that can be—and has been—used for committing fraud.

The benefits of the foregoing process to the ISSO were that it documented an informal process that for the most part had been in place, and it also placed InfoSec responsibilities for systems and information access exactly where it belonged, with the identified owners of the systems and information.

In one instance, an ISSO found that one manager did not want to take responsibility for a LAN in the department, and since others outside the department used the information, the manager did not want to take ownership of the information. The manager thought the IT Department should be the owner—after all, they were responsible for the maintenance of the system.

The ISSO in this case asked the manager if the ISSO could then be responsible as the owner of the systems and the information. The manager quickly agreed. The ISSO then told the manager that since it was now owned by the InfoSec organization, access would be denied to the systems and information to all those not in the InfoSec organization.

The manager objected, stating that the personnel in his organization needed access to those systems and their information in order to perform their job functions. After further discussion, the organizational manager agreed that his organization would appear to be the logical owners and subsequently accepted that responsibility.

Access Control Systems

The ISSO, in coordination with the IT, Security, and Audit Departments, determined that the access control systems (hardware and software) belonged to the same departments and organizations identified as system owners. However, the InfoSec personnel would establish the detailed procedures for the access control systems and the auditors would evaluate compliance with those procedures.

The system owners agreed to this process and also to appointing a primary and alternate system custodian who would be responsible for ensuring the IWC CIAPP policies and procedures were followed by all those who used the systems. In addition, the custodian would review the system audit trails, which were mandatory on all IWC systems. ^[6]

^[6]At first the audit trails requirements were to be applied only to those IWC systems processing sensitive IWC information; however, it was quickly discovered that all the systems, because of their networking, fell under that category. IWC management agreed that the additional cost of such a requirement was beneficial to IWC based on the risks of loss of that information to internal or external threats.