Inter-Organizational Study of Access Control Security Measures
Pages 60 - 79
Abstract
This study assesses the level of implementation and management of access control security measures among organizations. A survey was conducted and 233 responses were received from 56 organizations drawn from 5 major industry sectors of Ghana. This study focuses on the four access control clauses, namely access control policy, user access management, user responsibility and accountability, and system and application access control, which were adopted from ISO/IEC27002 international information systems security management standard. Overall, the results show that the organizations' level of implementation and management of access control measures were approximately 66.6% Level 3-well defined, indicating that access control measures were documented, approved, and implemented organization-wide. Moreover, the results show significant differences in the implementation and management of access control measures among the organizations. For all the access control measures, the financial and health care institutions outperform educational institutions and government public services.
References
[1]
Abdullah, H., & Valentine, B. 2009. Fundamental and ethics theories of corporate governance. Middle Eastern Finance and Economics, 4, 88-96.
[2]
Aurigemma, S. 2013. A Composite Framework for Behavioral Compliance with Information Security Policies. {JOEUC}. Journal of Organizational and End User Computing, 253, 32-51.
[3]
Balamurugan, B., & Krishna, P. V. 2014. Enhanced role-based access control for cloud security. Advances in Intelligent Systems and Computing., 324, 837-852.
[4]
Brown, S., & Yaokumah, W. 2016, November. Evolution in cyber security certifications: Adding theoretical bodies of knowledge. In Proceedings of the Global Conference on Information Technology, Sullivan University, Louisville, KY.
[5]
Erlich, Z., & Zviran, M. 2010. Goals and practices in maintaining information systems security. International Journal of Information Security and Privacy, 43, 40-50.
[6]
Gope, P., & Amin, R. J. 2016. A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR Data. Journal of Medical Systems, 4011, 242. 27686221
[7]
Hair, J. F., Ringle, C. M., & Sarstedt, M. 2011. PLS-SEM: Indeed a silver bullet. Journal of Marketing Theory and Practice, 192, 139-151.
[8]
Hair, J. F. J., Hult, G. T. M., Ringle, C., & Sarstedt, M. 2014. A primer on partial least squares structural equation modeling PLS-SEM. Long Range Planning, 46, 328.
[9]
Harris, S. 2013. All-In-One CISSP Exam Guide 6th ed. McGraw Hill.
[10]
HEISC. 2013. Information Security Program Assessment Tool. Retrieved from http://www.educause.edu/library/resources/information-security-program-assessment-tool
[11]
Henseler, J., & Sarstedt, M. 2012. Goodness-of-fit indices for partial least squares path modeling. Computational Statistics, 282, 565-580.
[12]
Hofstede, G. 2001. Culture's consequences - comparing values, behaviors, institutions, andorganizations across nations. California, CA: Sage.
[13]
ISO. IEC 21827. 2008. Information technology -- Security techniques -- Systems Security Engineering -- Capability Maturity Model SSE-CMM®. Retrieved from http://www.iso.org/iso/catalogue_detail.htm?csnumber=44716
[14]
ISO. IEC 27002. 2013. Information technology Security techniques - Code of practice for information security controls. Retrieved from http://www.iso.org/iso/catalogue_detail?csnumber=54533ISO/IEC 21827:2008
[15]
ISO. IEC 27000. 2014. Information technology - Security techniques - Information security management systems - Overview and vocabulary. Retrieved from http://www.iso.org/iso/catalogue_detail?csnumber=63411 63411
[16]
Jin, Y., Liu, H., Sun, L., & Song, J. 2014. Practical Applications of Intelligent Systems Study on Security Domain-Oriented Military Information Systems Access Control Model. Advances in Intelligent Systems and Computing, 279, 849-856.
[17]
Jirasek, V. 2012. Practical application of information security models. Information Security Technical Report, 171-2, 1-8.
[18]
Kang, D., Oh, J., & Im, C. 2015. Context based smart access control on BYOD environments. Information Security Applications, 8909, 165-176.
[19]
Karuppiah, M., & Saravanan, R. 2014. A secure remote user mutual authentication scheme using smart cards. Journal of Information Security and Applications, 194-5, 282-294.
[20]
Kayes, A. S. M., Han, J., & Colman, A. 2015. An ontological framework for situation-aware access control of software services. Information Systems, 53, 253-277.
[21]
Kosutic, D. 2015. How to handle access control according to ISO 27001. Retrieved from http://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/
[22]
Lang, U., & Schreiner, R. 2015. Proximity-based access control PBAC using Model-Driven Security. In Proceedings of ISSE'15 pp. 157-170.
[23]
Le, X. H., Lee, S., Lee, Y.-K., Lee, H., Khalid, M., & Sankar, R. 2010. Activity-oriented access control to ubiquitous hospital information and services. Information Sciences, 18016, 2979-2990.
[24]
Lerner, J. S., & Tetlock, P. E. 1999. Accounting for the effects of accountability. Psychological Bulletin, 1252, 255-275. 10087938
[25]
Lu, Y., Zhang, L., & Sun, J. 2009. Task-activity based access control for process collaboration environments Original Research Article. Computers in Industry, 606, 403-415.
[26]
Mario, S., & Andrea, B. 2014. Information security. Information Management & Computer Security, 223, 279-308.
[27]
Masood, R., Shibli, M. A., Ghazi, Y., Kanwal, A., & Ali, A. 2015. Cloud authorization: Exploring techniques and approach towards effective access control framework. Frontiers of Computer Science, 92, 297-321.
[28]
Moradbeikie, A., Abrishami, S., & Abbasi, H. 2016. Creating Time-Limited Attributes for Time-Limited Services in Cloud Computing. International Journal of Information Security and Privacy, 104, 44-57.
[29]
Ngo, C., Demchenko, Y., & de Laat, C. 2016. Multi-tenant attribute-based access control for cloud infrastructure services. Journal of Information Security and Applications, 27-28, 65-84.
[30]
Ngumbi, P. K. 2010. Challenges in managing information security from an organization's perspective. International Journal of Computer Scienec and Information Security, 84, 234-243.
[31]
NIST Special Publication 800-14. Generally accepted system security principles GSSPs: guidance on securing information technology IT systems. Retrieved from http://csrc.nist.gov/publications/nistbul/csl96-10.txt
[32]
NISTIR 7874 2012. Guidelines for Access Control System Evaluation Metrics.
[33]
Peevers, G., Williams, R., Douglas, G., & Jack, M. A. 2013. Usability study of fingerprint and Palmvein biometric technologies at the ATM. International Journal of Technology and Human Interaction, 91, 78-95.
[34]
Poniszewska-Maranda, A., & Rutkowska, R. 2014. Implementation of Usage Role-Based Access Control Approach for Logical Security of Information Systems. Advances in Systems Science., 240, 131-140.
[35]
PWC. 2015. The Global State of Information Security Survey 2015 - Managing cyber risks in an interconnected world. Retrieved from http://www.pwccn.com/home/eng/rcs_info_security_2015.html
[36]
Ranjan, A. K., & Somani, G. 2016. Connectivity frameworks for smart devices. Access Control and Authentication in the Internet of Things Environment. In Computer Communications and Networks pp. 283-305.
[37]
SANS Institute. 2014. New threats drive improved practices: State of cybersecurity in health care organizations. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
[38]
Styles, M., & Tryfonas, T. 2009. Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users. Information Management & Computer Security, 171, 44-52.
[39]
VaidyaJ. 2010. Automating Security Configuration and Administration: An Access Control Perspective. In Advances in Information and Computer Security: 5th International Workshop on Security, IWSEC 2010, Kobe, Japan pp. 22-24.
[40]
Vance, A., Lowry, P. B., & Eggett, D. 2015. A new approach to the problem of access policy violations: Increasing perceptions of accountability through the user interface. Management Information Systems Quarterly, 392, 345-366.
[41]
Williams, K., Harkins, S. G., & Latané, B. 1981. Identifiability as a deterrent to social loafing: Two cheering experiments. Journal of Personality and Social Psychology, 402, 303-311.
[42]
Yaokumah, W. 2016. Investigation into the State-of-Practice of Operations Security Management Based on ISO/IEC 27002. International Journal of Technology Diffusion, 71, 51-70.
Recommendations
Research on Role-Based Access Control Policy of E-government
ICEE '10: Proceedings of the 2010 International Conference on E-Business and E-GovernmentThe access control of e-government is an important part to protect the security of e-government systems. It is very pivotal to construct access control policy in order to improve the security of e-government systems and protect government information ...
A new RBAC based access control model for cloud computing
GPC'12: Proceedings of the 7th international conference on Advances in Grid and Pervasive ComputingAccess Control is an important component of Cloud Computing; specially, User access control management; however, Access Control in Cloud environment is different from traditional access environment and using general access control model can't cover all ...
Access Control Models
AbstractAccess control is a part of the security of information technologies. Access control regulates the access requests to system resources. The access control logic is formalized in models. Many access control models exist. They vary in their design, ...
Comments
Information & Contributors
Information
Published In
Publisher
IGI Global
United States
Publication History
Published: 01 January 2018
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 11 Aug 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in