Article Preview
TopIntroduction
Access control is the restriction of access rights to systems, applications, tasks, data, networks, and physical facilities (Mario & Andrea, 2014). It is a security feature that controls how users and systems communicate and interact with other systems and resources, with the intention of protecting information assets from unauthorized access (Harris, 2013). Data processing, transmission, and storage are carried out through the interaction among information systems components, consisting of people, hardware, software, procedures, processes, and communications facilities. These interactions should be managed and stringent measures ought to be implemented to prevent unauthorized entities from gaining access to critical and sensitive organizational information resources. Access control systems can manage the interactions and communications among users and systems (Ranjan & Somani, 2016). They can be effective in providing adequate security to information resources when correctly implemented and managed (Vaidya, 2010). However, implementing and managing access control measures are challenging tasks as systems administrators must deal with the rapid changes in business environment and also address various users with different levels of access rights requirements.
Access control management is a continuous activity of planning, controlling, coordinating, and organizing information security (Ngumbi, 2010). It is an area that is constantly changing in response to new threats, standards, and technologies (Jirasek, 2012). Access control requirements, implementation, and management have become more challenging for organizations as a result of rapid developments in applications and systems, including cloud computing, Bring-Your-Own Device (BYOD), and the Internet of Things (IoT) (Lang & Schreiner, 2015). In order to deal with these challenges, organizations have deployed standard access control mechanisms, measures, models, technologies, and employed best practices. The processes and activities required to effectively implement and manage access control measures are detailed in ISO/IEC27002:2013, which is an information security management system. An information security management system (ISMS) comprises of the policies, procedures, guidelines, models, and related resources and activities that are collectively managed by an organization to protect its information resources (ISO/IEC 27000, 2014). Access control models are the frameworks that dictate how users access information resources. They consist of mandatory access control, discretionary access control, and role-based access control. Vaidya (2010) notes that though the discretionary and the role-based access control models have largely been implemented, most organizations perform permission assignments to users on ad-hoc basis and the permissions assigned to users are often poorly documented. This can lead to misconfigurations such as under privileges, violation of the least privilege requirement, and costly management of access control security measures (Vaidya, 2010).
Consequently, access control measures should be properly implemented and managed; otherwise, it can have significant operational impact on user productivity and the organization’s ability to perform to achieve its objectives (NISTIR, 2012). Despite its importance, few studies have been conducted in access control management in organizations. Mario and Andrea (2014) analyze information security literature of 1,588 papers from 23 information security journals and 5 conferences over the past four decades. The study suggests that future direction of information security research endeavour should focus on security management. Although several studies were conducted on the technical access control models and mechanisms (Karuppiah & Saravanan, 2014; Kayes, Han, & Colman, 2015; Ngo, Demchenko, & de Laat, 2016), few studies focused on management of access control measures.