Securing Your Agency Importance of Information Security Access Models http://www.flickr.com/photos/ravages/2853378788/
Outline <ul><li>Identifying the problem space </li></ul><ul><li>What, why, when and how of a Security Access Model </li></ul>
AS ISO 15489 Requirements <ul><li>… both within an organisation and to external users. </li></ul><ul><li>… assigning acces...
<ul><li>Indicate who can do what </li></ul><ul><li>Complement classification </li></ul><ul><li>Risk management tool </li><...
<ul><li>More information </li></ul><ul><li>= </li></ul><ul><li>More systems </li></ul><ul><li>= </li></ul><ul><li>More poi...
The IT vs IM battle <ul><li>Access problems with “techie” implementations </li></ul><ul><li>“ Organic” development platfor...
<ul><li>Job Title/Section/Unit/Location </li></ul><ul><li>Job Title/Section/Directorate/Unit </li></ul><ul><li>One job tit...
Information management systems <ul><li>Shared Drives </li></ul><ul><li>Databases </li></ul><ul><li>Portals </li></ul><ul><...
If only…
Even in Web2.0 <ul><li>http://www.thestandard.com/news/2008/06/10/things-cia-learned-about-implementing-enterprise-wiki </...
Security Access Models <ul><li>What? </li></ul><ul><li>Why? </li></ul><ul><li>When? </li></ul><ul><li>How? </li></ul>http:...
Anatomy <ul><ul><li>Identify the system </li></ul></ul><ul><ul><li>Detail security requirements </li></ul></ul><ul><ul><li...
System <ul><ul><li>System Name and Version </li></ul></ul><ul><ul><li>Owner/Sponsor </li></ul></ul><ul><ul><li>Manager and...
Security requirements <ul><ul><li>The level of classification that the system holds (In-Confidence, Protected, Restricted,...
Policy statements <ul><ul><li>List of the access “rules” for the system </li></ul></ul><ul><ul><li>Examples: </li></ul></u...
Definition of groups <ul><ul><li>List of the groups set up inside the system </li></ul></ul><ul><ul><li>Basic description ...
Exceptions <ul><ul><li>The exceptions to the “rules” defined in Policy Statements </li></ul></ul><ul><li>There are  always...
Defined permissions <ul><ul><li>List of permissions or “roles” inside the system </li></ul></ul><ul><ul><li>Description of...
Permission allocations <ul><ul><li>Matrix of permissions </li></ul></ul><ul><ul><li>Best to have two tables – positions al...
<ul><li>Getting staff to do it prior to implementation </li></ul><ul><li>Hard to maintain accurately </li></ul>Issues
Further considerations <ul><li>Staff knowledge </li></ul><ul><li>Applying the right classification </li></ul><ul><li>Stori...
Presentation by Kylie Dunn [email_address] http://www.flickr.com/photos/jpconstantineau/2121027361/sizes/o/
Upcoming SlideShare
Loading in …5
×

Security Access Models

1,713 views

Published on

Presentation about the importance of securing information management systems and a way to achieve this.

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,713
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Good afternoon everyone, today I’m going to discuss the increasing requirements to gain greater control over the increasing numbers of information management systems within our organisations.
  • Security Access Models

    1. 1. Securing Your Agency Importance of Information Security Access Models http://www.flickr.com/photos/ravages/2853378788/
    2. 2. Outline <ul><li>Identifying the problem space </li></ul><ul><li>What, why, when and how of a Security Access Model </li></ul>
    3. 3. AS ISO 15489 Requirements <ul><li>… both within an organisation and to external users. </li></ul><ul><li>… assigning access status to both records and individuals. </li></ul>
    4. 4. <ul><li>Indicate who can do what </li></ul><ul><li>Complement classification </li></ul><ul><li>Risk management tool </li></ul>Access controls…
    5. 5. <ul><li>More information </li></ul><ul><li>= </li></ul><ul><li>More systems </li></ul><ul><li>= </li></ul><ul><li>More points of entry </li></ul><ul><li>= </li></ul><ul><li>More access to control </li></ul>
    6. 6. The IT vs IM battle <ul><li>Access problems with “techie” implementations </li></ul><ul><li>“ Organic” development platforms </li></ul><ul><li>System descriptions that don’t describe anything </li></ul><ul><li>Database Name – XYZ Correspondence Database </li></ul><ul><li>Description – Storage of the correspondence for XYZ </li></ul>
    7. 7. <ul><li>Job Title/Section/Unit/Location </li></ul><ul><li>Job Title/Section/Directorate/Unit </li></ul><ul><li>One job title change </li></ul><ul><li>One section change </li></ul><ul><li>Three Directorate changes </li></ul>
    8. 8. Information management systems <ul><li>Shared Drives </li></ul><ul><li>Databases </li></ul><ul><li>Portals </li></ul><ul><li>Internet </li></ul><ul><li>EDRM Systems </li></ul><ul><li>Intranets </li></ul><ul><li>Wikis </li></ul>
    9. 9. If only…
    10. 10. Even in Web2.0 <ul><li>http://www.thestandard.com/news/2008/06/10/things-cia-learned-about-implementing-enterprise-wiki </li></ul>
    11. 11. Security Access Models <ul><li>What? </li></ul><ul><li>Why? </li></ul><ul><li>When? </li></ul><ul><li>How? </li></ul>http://www.flickr.com/photos/29013381@N04/2790170814/
    12. 12. Anatomy <ul><ul><li>Identify the system </li></ul></ul><ul><ul><li>Detail security requirements </li></ul></ul><ul><ul><li>Provide general policy overview </li></ul></ul><ul><ul><li>Define the user groupings </li></ul></ul><ul><ul><li>List the exceptions to the rules </li></ul></ul><ul><ul><li>Define the system permissions </li></ul></ul><ul><ul><li>Capture Permission – Group – Folders matrix </li></ul></ul>
    13. 13. System <ul><ul><li>System Name and Version </li></ul></ul><ul><ul><li>Owner/Sponsor </li></ul></ul><ul><ul><li>Manager and delegates </li></ul></ul><ul><ul><li>Support provider – include SLA if you have one </li></ul></ul><ul><ul><li>What the system does </li></ul></ul><ul><ul><li>What business function(s) it supports </li></ul></ul>
    14. 14. Security requirements <ul><ul><li>The level of classification that the system holds (In-Confidence, Protected, Restricted, Secret etc.) </li></ul></ul><ul><ul><li>Explanation of the access control limitations that are required </li></ul></ul>
    15. 15. Policy statements <ul><ul><li>List of the access “rules” for the system </li></ul></ul><ul><ul><li>Examples: </li></ul></ul><ul><ul><ul><li>Permissions are not applied against individuals, they can only be allocated against positions or groups </li></ul></ul></ul><ul><ul><ul><li>Standard users will not be given permission to delete content from the system </li></ul></ul></ul>
    16. 16. Definition of groups <ul><ul><li>List of the groups set up inside the system </li></ul></ul><ul><ul><li>Basic description beside each group in the list to describe the members and intent of that grouping </li></ul></ul><ul><li>Important to highlight groups that will have limited access and groups that will have higher access </li></ul>
    17. 17. Exceptions <ul><ul><li>The exceptions to the “rules” defined in Policy Statements </li></ul></ul><ul><li>There are always exceptions to the rules, so it is best to capture them before someone tries to correct them </li></ul>
    18. 18. Defined permissions <ul><ul><li>List of permissions or “roles” inside the system </li></ul></ul><ul><ul><li>Description of the access these provide </li></ul></ul>
    19. 19. Permission allocations <ul><ul><li>Matrix of permissions </li></ul></ul><ul><ul><li>Best to have two tables – positions allocated to groups and then group permissions against data </li></ul></ul><ul><li>Put the people to positions or people to groups mapping in an Appendix as it will change regularly </li></ul>
    20. 20. <ul><li>Getting staff to do it prior to implementation </li></ul><ul><li>Hard to maintain accurately </li></ul>Issues
    21. 21. Further considerations <ul><li>Staff knowledge </li></ul><ul><li>Applying the right classification </li></ul><ul><li>Storing in the right location </li></ul><ul><li>Not sharing access </li></ul>
    22. 22. Presentation by Kylie Dunn [email_address] http://www.flickr.com/photos/jpconstantineau/2121027361/sizes/o/

    ×