Modelling the Impact of Administrative Access Controls on Technical Access Control Measures

Modelling the Impact of Administrative Access Controls on Technical Access Control Measures

Winfred Yaokumah (Department of Information Technology, Pentecost University College, Accra, Ghana)
Copyright: © 2017 |Pages: 18
DOI: 10.4018/IRMJ.2017100104
OnDemand PDF Download:
$37.50

Abstract

Almost all computing systems and applications in organizations include some form of access control mechanisms. Managing secure access to computing resources is an important but a challenging task, requiring both administrative and technical measures. This study examines the influence of administrative access control measures on technical access control mechanisms. Based on the four access control clauses defined by ISO/IEC27002, this study develops a model to empirically test the impact of access control policies on systems and applications control activities. The study employs Partial Least Square Structural Equation Modelling (PLS-SEM) to analyze data collected from 223 samples through a survey questionnaire. The results show that the greatest significant impact on applications and systems access control measures is through access control policies mediated by users' responsibilities and accountability and user access management activities. But the direct impact of access control policies on applications and systems access control measures is not significant.
Article Preview

Introduction

As nearly all computing systems and applications in organizations have some form of access control mechanisms, managing restrictive and secure access has become an important but a challenging task (Caruso et al., 2013; Uzun et al, 2014). Access control is the measures organizations put in place to enforce control on persons, programs, and processes accessing computer systems, networks, data, and other information resources. These measures are the security features that control how users and systems communicate and interact with other systems and resources, with the aim of protecting information systems and resources from unauthorized access (Harris, 2013). Access control measures are intended to allow authorized users access to information and information processing facilities but deny unauthorized users access (ISO/IEC27002, 2013). Many security breaches come as a result of an unauthorized access to computing resources (Data Breach Investigations Report, 2013). In most cases, an attacker must first have to gain access to computing systems, applications and facilities before altering the data, stealing sensitive information, or damaging critical computing devices. Therefore, access control has become an important security measure (Braga, 2011; Gostojić et al., 2012). It requires employment of administrative, technical (logical), and physical access control measures. Evidence suggests that technical controls only detect one third of fraud cases (Goode & Lacey, 2011). Thus, technical solutions are not sufficient to protect information assets because security threats are fundamentally a people issue (Sarkar, 2010). As a result, technological, behavioural and organisational measures are essential.

The administrative access controls are management-oriented measures which deal with organizational issues of controlling access to resources, including access control policies, security documentation, personnel security, training, organizational structures, and separation of duties (Hertzman, Meagher, & McGrail, 2013). Technical access control mechanisms employ hardware and software measures (passwords, identification and authentication mechanisms, firewall, intrusion detection and prevention systems, and encryption) to control access to information systems (Hertzman, Meagher, & McGrail, 2013). Physical access controls (network segregation, security guards, locks, fencing, lighting, perimeter security, computer controls, work area separation, data backups, cabling, control zone) can have significant impact on protecting facilities that house information resources (Hertzman, Meagher, & McGrail, 2013). In general, physical access controls support and work together with administrative and technical controls to provide the required level of control. For example, network segregation can be carried out through both technical (logical separation of networks within software configuration settings) and physical means (physical separation of networks).

Therefore, integration of these measures, often referred to as defense-in-depth, is essential. Defense-in-depth is the coordinated use of multiple security controls in a layered approach. It is an implementation of multiple controls so that successful penetration and compromise of systems are more difficult to attain (Groat, Tront, & Marchany, 2012). This multilayered defense system minimizes the probability of successful penetration and compromise because an attacker must get through several different types of protection mechanisms before access is gained to critical resources (Harris, 2013). A prior study notes that all access control measures intended to provide defense-in-depth should begin with administrative control measures (Kosutic, 2015). Administrative controls can be the hardest to put into practice as management must define the policies and the users must understand, accept and implement the measures correctly. The physical and technical controls are then implemented based on the measures defined within the administrative access control measures. While defense-in-depth principle of combining administrative, technical, and physical access control security measures have been advocated (Goode & Lacey, 2011; Jansen & Grance, 2011; Sarkar, 2010), theoretical models to integrate the management of these measures are sparse (Goode & Lacey, 2011).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing