An Introduction To
The previous Clauses have dealt with corporate policy and organisation for identifying that which should be protected and that which is less important and with the tools and procedures necessary to enable corporate information to be managed in a secure fashion. This Clause is about who is authorised to have access to corporate information.
System access can be controlled in a number of ways using hardware or software. The real question is not how is control achieved but who is allowed access and to what. System access is like every other system of locks and keys. The basic decisions are what requires protection and who has the keys. These are strictly business decisions that should not depend on the technology at all.
The decision making process is simple two stage affair. First nominate those business applications that should be protected, e.g. finance/budgets. Second, nominate who is responsible for that application (the owner), e.g. Finance Director and give him the keys.
The military have an expression "Need to Know". The term implies that only those who need to know any given information in order to do their job should be authorised to have access to that information. This is not to confuse secrecy with security, nor is it to suggest that those outside the sphere of interest are not also interested. Information will often change its classification throughout its life span.
Taking the above example, perhaps the spread sheets being used in the Finance Department to plan next year's budgets, it seem obvious that only those who are directly involved in the planning exercise should be authorised to access those figures until they are ready to be published. When the final figures are approved they might be moved to a read only file so that the information can be put on a wider circulation. Access control is about making information available to the right people in a secure way, which means that other people cannot alter that information without proper authority.
The decisions regarding who are the right people are business decisions not IT decisions.
The IT Department can provide the tools by way of passwords, encryption, secure routing and logon procedures, but only the business managers can decide to whom those controls will apply.
Many organisations appoint a System Administrator who is charged with the responsibility for maintaining a register of those people who are accorded access rights or privileges. It is important not to allow this officer to become part of the authorisation process. Only the business manager in each operational department will know who is doing any particular job at any time and who actually needs to know!
In practical terms the locks and keys are either hardware or software and, just as with any other type of locks, there are varying qualities to be had. The most common type of lock is either the user identity or password that must be keyed in to allow entry to the system. The technicians can install these password systems but only the business managers can ensure that individual users use them sensibly, i.e. use obscure passwords rather than their own name, change their password frequently and do not leave the password written on a post-it note stuck to the side of the screen.
If the information that you need to protect is really important, the hardware solutions are usually better than software. Take the machine off the network and lock it up in a separate room. Fit key-card locks and issue magnetic swipe cards to those people authorised to switch the machine on. Even the smartest hackers can only steal information from machines that are switched on and connected to the outside world.
When processing information outside the office (i.e. mobile computing and teleworking) it is essential that at least the same level of control is in place that would apply in the office. This will often employ different technology than that required in the office to protect information processing systems.
The Security Practitioner
An Introduction to Information Security