Inter-Organizational Study of Access Control Security Measures

Inter-Organizational Study of Access Control Security Measures

Winfred Yaokumah (Department of Information Technology, Pentecost University College, Accra, Ghana) and Eric Saviour Aryee Okai (Department of Information Technology, Pentecost University College, Accra, Ghana)
Copyright: © 2018 |Pages: 20
DOI: 10.4018/IJTHI.2018010104
OnDemand PDF Download:
No Current Special Offers


This study assesses the level of implementation and management of access control security measures among organizations. A survey was conducted and 233 responses were received from 56 organizations drawn from 5 major industry sectors of Ghana. This study focuses on the four access control clauses, namely access control policy, user access management, user responsibility and accountability, and system and application access control, which were adopted from ISO/IEC27002 international information systems security management standard. Overall, the results show that the organizations' level of implementation and management of access control measures were approximately 66.6% (Level 3 - well defined), indicating that access control measures were documented, approved, and implemented organization-wide. Moreover, the results show significant differences in the implementation and management of access control measures among the organizations. For all the access control measures, the financial and health care institutions outperform educational institutions and government public services.
Article Preview


Access control is the restriction of access rights to systems, applications, tasks, data, networks, and physical facilities (Mario & Andrea, 2014). It is a security feature that controls how users and systems communicate and interact with other systems and resources, with the intention of protecting information assets from unauthorized access (Harris, 2013). Data processing, transmission, and storage are carried out through the interaction among information systems components, consisting of people, hardware, software, procedures, processes, and communications facilities. These interactions should be managed and stringent measures ought to be implemented to prevent unauthorized entities from gaining access to critical and sensitive organizational information resources. Access control systems can manage the interactions and communications among users and systems (Ranjan & Somani, 2016). They can be effective in providing adequate security to information resources when correctly implemented and managed (Vaidya, 2010). However, implementing and managing access control measures are challenging tasks as systems administrators must deal with the rapid changes in business environment and also address various users with different levels of access rights requirements.

Access control management is a continuous activity of planning, controlling, coordinating, and organizing information security (Ngumbi, 2010). It is an area that is constantly changing in response to new threats, standards, and technologies (Jirasek, 2012). Access control requirements, implementation, and management have become more challenging for organizations as a result of rapid developments in applications and systems, including cloud computing, Bring-Your-Own Device (BYOD), and the Internet of Things (IoT) (Lang & Schreiner, 2015). In order to deal with these challenges, organizations have deployed standard access control mechanisms, measures, models, technologies, and employed best practices. The processes and activities required to effectively implement and manage access control measures are detailed in ISO/IEC27002:2013, which is an information security management system. An information security management system (ISMS) comprises of the policies, procedures, guidelines, models, and related resources and activities that are collectively managed by an organization to protect its information resources (ISO/IEC 27000, 2014). Access control models are the frameworks that dictate how users access information resources. They consist of mandatory access control, discretionary access control, and role-based access control. Vaidya (2010) notes that though the discretionary and the role-based access control models have largely been implemented, most organizations perform permission assignments to users on ad-hoc basis and the permissions assigned to users are often poorly documented. This can lead to misconfigurations such as under privileges, violation of the least privilege requirement, and costly management of access control security measures (Vaidya, 2010).

Consequently, access control measures should be properly implemented and managed; otherwise, it can have significant operational impact on user productivity and the organization’s ability to perform to achieve its objectives (NISTIR, 2012). Despite its importance, few studies have been conducted in access control management in organizations. Mario and Andrea (2014) analyze information security literature of 1,588 papers from 23 information security journals and 5 conferences over the past four decades. The study suggests that future direction of information security research endeavour should focus on security management. Although several studies were conducted on the technical access control models and mechanisms (Karuppiah & Saravanan, 2014; Kayes, Han, & Colman, 2015; Ngo, Demchenko, & de Laat, 2016), few studies focused on management of access control measures.

Complete Article List

Search this Journal:
Volume 18: 4 Issues (2022): 1 Released, 3 Forthcoming
Volume 17: 4 Issues (2021)
Volume 16: 4 Issues (2020)
Volume 15: 4 Issues (2019)
Volume 14: 4 Issues (2018)
Volume 13: 4 Issues (2017)
Volume 12: 4 Issues (2016)
Volume 11: 4 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing