The Increasing Problems Of Controlling Access

The Increasing Problems of Controlling Access

Presentation to RMAA Seminar13 May 2008

Kylie DunnKnowledge & Records Manager

Department of State and Regional Development

Outline

PolicySystem access

controlsCommunication

Technology’s roleAccess Models

Staff development

…but I digress…

AS ISO 15489 Requirements

…both within an organization and to external users.

…assigning access status to both records and individuals.

…categorized according to their access status…

…specify access permissions to records relating to their

area of responsibility.

The ANAO

Audit Report No. 7 1999-2000 – Operation of Classification

System for Protecting Sensitive Information

Many staff did not have a detailed understanding…

All organisations incorrectly classified files with over-classification being the

most common occurrence.

2.27 To achieve an effective control environment over information

security it is expected…

Managing risk

Risk averse

Technology averse

Policies and training

Pre-digital age

The good old days?The good old days?

Applying electronic access

Shared drives

Time consumingLow fidelityNot simple

EDM Systems

Greater AuditingEasier privileges

Taking a record out?

Databases

ANAO Audit Report No.45 2001–02

Assurance and Control Assessment Audit -

Recordkeeping

…business records that were managed through systems that were not recognised and developed as recordkeeping systems

Databases

Depends on developerAnything is possible Relies on time & $$

Websites

Page lockdownsContent Management System

Some audit logs

Strong reliance on user

Communicating/transferring

Email

AccessStorageSecure

Using the “Cloud”

How safe is it?

“The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami - an entry point that led the hackers to eventually break into TJX's central databases.”

theage.com.au (31/12/07)

Safer than our own staff?

Loss of control

Applying security

Staff need to get it right

Over-classification

Increased managementIncreased costs

Limits legitimate access

Under-classification

Permits non-legitimate accessReliance on others

Not all about systems

…but technology helps

Access Models

Anatomy of an Access Model

SystemSecurity Requirements Policy statementsDefinition of groupingsExceptionsDefined permissionsPermission allocations –

data/individuals

Hard to maintain accurately

Staff awareness

Storing

Transmitting

Cost of getting it wrong

Need-to-Know Need-to-Share

Needs to be easy

Role of Records Staff?

Advisory

Policy into Procedure

Training staff

Access Models

No quick fix

Managing risks

Technology helps

Access model is a must

Staff need to understand