The development of access control policies for information technology systems

Document Type

Journal Article


Elsevier Science


Computing, Health and Science


Engineering and Mathematics




Originally published as: Ward, P., & Smith, C. L. (2002). The development of access control policies for information technology systems. Computers & Security, 21(4), 356-371. Original article available here


The identification of the major information technology (IT) access control policies is required to direct “best practice” approaches within the IT security program of an organisation. In demonstrating the need for security access control policies in the IT security program, it highlights the significant shift away from centralised mainframes towards distributed networked computing environments. The study showed that the traditional and proven security control mechanisms used in the mainframe environments were not applicable to distributed systems, and as a result, a number of inherent risks were identified with the new technologies.

Because of the critical nature of the information assets of organisations, then appropriate risk management strategies should be afforded through access control policies to the IT systems. The changing technology has rendered mainframe centralised security solutions as ineffective in providing controls on distributed network systems

This investigation revealed that the need for policies for access control of an information system from corporate governance guidelines and risk management strategies were required to protect information assets of an organisation. The paper proposes a high level approach to implementing security policies through information security responsibilities, management accountability policy, and other baseline access control security policies individual and distributed systems.




Link to publisher version (DOI)