The development of access control policies for information technology systems
Document Type
Journal Article
Publisher
Elsevier Science
Faculty
Faculty of Computing, Health and Science
School
School of Engineering and Mathematics
RAS ID
349
Abstract
The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.
Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systems
This investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems.
DOI
10.1016/S0167-4048(02)00414-5
Comments
Ward, P., & Smith, C. L. (2002). The development of access control policies for information technology systems. Computers & Security, 21(4), 356-371. Available here