View
661
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This was a presentation I gave at the Information Week RMAA Seminar 2008. It was on the increasing problems of trying to control access within organisations, focusing on sensitive and classified information.
Citation preview
The Increasing Problems of Controlling Access
Presentation to RMAA Seminar13 May 2008
Kylie DunnKnowledge & Records Manager
Department of State and Regional Development
Outline
PolicySystem access
controlsCommunication
Technology’s roleAccess Models
Staff development
…but I digress…
AS ISO 15489 Requirements
…both within an organization and to external users.
…assigning access status to both records and individuals.
…categorized according to their access status…
…specify access permissions to records relating to their
area of responsibility.
The ANAO
Audit Report No. 7 1999-2000 – Operation of Classification
System for Protecting Sensitive Information
Many staff did not have a detailed understanding…
All organisations incorrectly classified files with over-classification being the
most common occurrence.
2.27 To achieve an effective control environment over information
security it is expected…
Managing risk
Risk averse
Technology averse
Policies and training
Pre-digital age
The good old days?The good old days?
Applying electronic access
Shared drives
Time consumingLow fidelityNot simple
EDM Systems
Greater AuditingEasier privileges
Taking a record out?
Databases
ANAO Audit Report No.45 2001–02
Assurance and Control Assessment Audit -
Recordkeeping
…business records that were managed through systems that were not recognised and developed as recordkeeping systems
Databases
Depends on developerAnything is possible Relies on time & $$
Websites
Page lockdownsContent Management System
Some audit logs
Strong reliance on user
Communicating/transferring
AccessStorageSecure
Using the “Cloud”
How safe is it?
“The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami - an entry point that led the hackers to eventually break into TJX's central databases.”
theage.com.au (31/12/07)
Safer than our own staff?
Loss of control
Applying security
Staff need to get it right
Over-classification
Increased managementIncreased costs
Limits legitimate access
Under-classification
Permits non-legitimate accessReliance on others
Not all about systems
…but technology helps
Access Models
Anatomy of an Access Model
SystemSecurity Requirements Policy statementsDefinition of groupingsExceptionsDefined permissionsPermission allocations –
data/individuals
Hard to maintain accurately
Staff awareness
Storing
Transmitting
Cost of getting it wrong
Need-to-Know Need-to-Share
Needs to be easy
Role of Records Staff?
Advisory
Policy into Procedure
Training staff
Access Models
No quick fix
Managing risks
Technology helps
Access model is a must
Staff need to understand