What is Access Control? In the simplest term, a financial institution’s Access Control Policy (ACP) should define who has access to sensitive information; an electronic media or device, or a facility. APC should also specify how, when, and where to access such information, equipment, or facilities. Imagine the wealth of information and physical resources at banks’ disposal in carrying out their daily operations. Think about this with the risk of employees and customers that have potential unauthorized access to this information and resources. With this thought in mind; the risk of a weak ACP can be easily visualized.
Thus, there is an undeniable justification for the need to develop an enterprise-wide access control culture. Apart from the undeniable need, it is more important to have a strong and strategic access control policy. It is not enough to simply have an access control culture, more importantly, the culture must be predictive, strategic and effective.
How to frame an Access Control Policy?
A NIST report compiled by Vincent Hu and others shows that the strategy often starts with identifying an applicable access control policy type. Here, I highlight four types
- Attribute Based Access Control (ABAC) policy is an access control model where an organization base its access control decisions on a set of characteristics, or attributes, associated with the user, the environment, or the resource itself. A key advantage of ABAC is that there is no need for the requester to be known in advance to the system or resource to which could become accessible. As long as the attributes that the requestor supplies meet the criteria for gaining entry, access will be granted. A perfect example is a mobile bank account application user.
- Mandatory Access Control (MAC) policy means that access control policy decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights. An example of MAC occurs in military security, where an individual data owner does not decide who has a top-secret clearance, nor can the owner change the classification of an object up or down the secret clearance ladder.
- A Discretionary Access Control (DAC) policy, on the other hand, leaves final decision in the hands of the end-user. The most common example is a computer file system, where the owner of a file can grant or deny access rights at his/her discretion.
- In the Role Bases Access Control (RBAC) policy, access decisions are based on the roles that individual users have as part of the organization. Users basically take-on assigned roles (such as banker, teller, or branch manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role.
Which strategy is the best?
Some writers have advocated that the RBAC Model is more suitable for banks. For example, see Karsten Sohr and others. Furthermore, a 2010 NIST study finds that the implementation of RBAC could deliver a significant return on investment through efficient and reduced employee downtime. A PWC study report also finds that applying RBAC can lead to operational improvements and increase return on investment. I agree with this conclusion because banks generally have large operations; a robust geographic footprint, a large number of employees; and various business partners.
Any policy recommendation?
In any case, the Cybersecurity Manager recommends that, from a general security standpoint, a financial institution should lean towards both a security intelligence gathering approach, and a business model for information security. This means ACP should be customized having a security and business profitability mindset. This approach is often referred to as an Intelligence-Led information security model; where management intelligently analyzes its business apparatus and needs in all its objective decision-making framework. The principles of this security model include;
- Understanding the threat
- Integrating threat intelligence into business decision making
- Establishing a learning culture
- Building a foundation of information sharing
- Strong execution of project management
- Maximizing collaboration and partnership
Hello, after reading this remarkable article i am also glad to share my knowledge here with friends. Doretta Skyler Aynat
Hi there, all the time i used to check webpage posts here early in the morning, since i love to learn more and more. Adorne Edan Zebulon
Hello. This post was extremely fascinating, especially because I was browsing for thoughts on this matter last Thursday. Karlie Rem Barden