A framework for information security management in local government
- Authors: De Lange, Joshua
- Date: 2017
- Subjects: Computer security -- Management , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7588 , vital:21932
- Description: Information has become so pervasive within enterprises and everyday life, that it is almost indispensable. This is clear as information has become core to the business operations of any enterprise. Information and communication technology (ICT) systems are heavily relied upon to store, process and transmit this valuable commodity. Due to its immense value, information and related ICT resources have to be adequately protected. This protection of information is commonly referred to as information security.
- Full Text:
- Date Issued: 2017
- Authors: De Lange, Joshua
- Date: 2017
- Subjects: Computer security -- Management , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7588 , vital:21932
- Description: Information has become so pervasive within enterprises and everyday life, that it is almost indispensable. This is clear as information has become core to the business operations of any enterprise. Information and communication technology (ICT) systems are heavily relied upon to store, process and transmit this valuable commodity. Due to its immense value, information and related ICT resources have to be adequately protected. This protection of information is commonly referred to as information security.
- Full Text:
- Date Issued: 2017
Governing information security within the context of "bring your own device" in small, medium and micro enterprises
- Authors: Fani, Noluvuyo
- Date: 2017
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7626 , vital:22114
- Description: Throughout history, information has been core to the communication, processing and storage of most tasks in the organisation, in this case in Small-Medium and Micro Enterprises (SMMEs). The implementation of these tasks relies on Information and Communication Technology (ICT). ICT is constantly evolving, and with each developed ICT, it becomes important that organisations adapt to the changing environment. Organisations need to adapt to the changing environment by incorporating innovative ICT that allows employees to perform their tasks with ease anywhere and anytime, whilst reducing the costs affiliated with the ICT. In this modern, performing tasks with ease anywhere and anytime requires that the employee is mobile whilst using the ICT. As a result, a relatively new phenomenon called “Bring Your Own Device” (BYOD) is currently infiltrating most organisations, where personally-owned mobile devices are used to access organisational information that will be used to conduct the various tasks of the organisation. The use of BYOD in organisations breeds the previously mentioned benefits such as performing organisational tasks anywhere and anytime. However, with the benefits highlighted for BYOD, organisations should be aware that there are risks to the implementation of BYOD. Therefore, the implementation of BYOD deems that organisations should implement BYOD with proper management thereof.
- Full Text:
- Date Issued: 2017
- Authors: Fani, Noluvuyo
- Date: 2017
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: http://hdl.handle.net/10948/7626 , vital:22114
- Description: Throughout history, information has been core to the communication, processing and storage of most tasks in the organisation, in this case in Small-Medium and Micro Enterprises (SMMEs). The implementation of these tasks relies on Information and Communication Technology (ICT). ICT is constantly evolving, and with each developed ICT, it becomes important that organisations adapt to the changing environment. Organisations need to adapt to the changing environment by incorporating innovative ICT that allows employees to perform their tasks with ease anywhere and anytime, whilst reducing the costs affiliated with the ICT. In this modern, performing tasks with ease anywhere and anytime requires that the employee is mobile whilst using the ICT. As a result, a relatively new phenomenon called “Bring Your Own Device” (BYOD) is currently infiltrating most organisations, where personally-owned mobile devices are used to access organisational information that will be used to conduct the various tasks of the organisation. The use of BYOD in organisations breeds the previously mentioned benefits such as performing organisational tasks anywhere and anytime. However, with the benefits highlighted for BYOD, organisations should be aware that there are risks to the implementation of BYOD. Therefore, the implementation of BYOD deems that organisations should implement BYOD with proper management thereof.
- Full Text:
- Date Issued: 2017
A baseline for information security knowledge for end users
- Authors: Boshoff, Ryno
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9808 , http://hdl.handle.net/10948/d1013260
- Description: Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).
- Full Text:
- Date Issued: 2012
- Authors: Boshoff, Ryno
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9808 , http://hdl.handle.net/10948/d1013260
- Description: Information plays a vast contributing role to all resources within an organisation. Organisations should recognise the importance of information and implement information security controls to protect their information as this will ensure that the organisation‟s information retains its confidentiality, integrity and availability. Information security controls, which are the means of managing information risks, rely heavily on the user‟s knowledge regarding the use of these controls for their effectiveness, and as such, users should be educated in order to maximise effectiveness of these controls. Current information security educational programmes are created without necessarily taking into account the target audience, who comprises of all employees, stakeholders, suppliers, third parties, customers or other external parties or third party that requires access to the organisation‟s information. This results in programmes that are not linguistically appropriate; or that present knowledge at an inappropriate level for the target audience. This could leave users bored or confused, without successfully changing their behaviour or improving knowledge. This dissertation identifies a baseline for information security knowledge targeted at end users. This was done by means of a Delphi Study, where a profile of “generic” end users comprised of information security topics and concepts were rated by experts from the field of information security education. This resulted in the elimination of inappropriate topics and concepts and retaining the relevant and appropriate aspects. This baseline for information security knowledge can be characterised as a minimum standard that everybody should be educated on as an introductory or refresher course. This can also serve as the foundation phase to educate end users with knowledge of the basic topics and concepts to enable them to fulfil their responsibilities in order to protect information. If needed, topics and concepts could be added to the baseline for information security knowledge for specialised target audiences (e.g. specialised End Users, ICT Staff or Top Management).
- Full Text:
- Date Issued: 2012
A brain-compatible approach to the presentation of cyber security educational material
- Authors: Reid, Rayne
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9819 , http://hdl.handle.net/10948/d1019895
- Description: Information is an extremely important asset in modern society. It is used in most daily activities and transactions, and, thus, the importance of information is acknowledged by both organisational and private home information users. Unfortunately, as with any asset, there are often threats to this asset and, therefore, an information security solution is required to protect information against potential threats. Human beings play a major role in the implementation and governing of an entire information security process and, therefore, they have responsibilities in this regard. Thus, the effectiveness of any information security solutions in either an organisational or a private context is dependent on the human beings involved in the process. Accordingly, if these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in the information security solutions and, thus, it is essential that all these information users be educated in order to combat any threats to the information security. Many of the current information security education programmes and materials are not effective, possibly because the majority of these current approaches have been designed without using a sound pedagogical theory. In addition, many of these programmes also only target organisational users. This, in turn, is problematic as information security education is required by everybody, organisational and private information users alike. This dissertation addressed the lack of a pedagogical basis in the designing of information security educational courses suited to an extremely broad target audience. Accordingly, the dissertation set out to demonstrate how a pedagogy, which is broadly used and accepted for a diverse target audience of learners, could be applied to the design of the presentation of a web based, cyber security educational courses.
- Full Text:
- Date Issued: 2012
- Authors: Reid, Rayne
- Date: 2012
- Subjects: Data protection -- Management , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9819 , http://hdl.handle.net/10948/d1019895
- Description: Information is an extremely important asset in modern society. It is used in most daily activities and transactions, and, thus, the importance of information is acknowledged by both organisational and private home information users. Unfortunately, as with any asset, there are often threats to this asset and, therefore, an information security solution is required to protect information against potential threats. Human beings play a major role in the implementation and governing of an entire information security process and, therefore, they have responsibilities in this regard. Thus, the effectiveness of any information security solutions in either an organisational or a private context is dependent on the human beings involved in the process. Accordingly, if these human beings are either unaware or not knowledgeable about their roles in the security solution they become the weak link in the information security solutions and, thus, it is essential that all these information users be educated in order to combat any threats to the information security. Many of the current information security education programmes and materials are not effective, possibly because the majority of these current approaches have been designed without using a sound pedagogical theory. In addition, many of these programmes also only target organisational users. This, in turn, is problematic as information security education is required by everybody, organisational and private information users alike. This dissertation addressed the lack of a pedagogical basis in the designing of information security educational courses suited to an extremely broad target audience. Accordingly, the dissertation set out to demonstrate how a pedagogy, which is broadly used and accepted for a diverse target audience of learners, could be applied to the design of the presentation of a web based, cyber security educational courses.
- Full Text:
- Date Issued: 2012
Managing an information security policy architecture : a technical documentation perspective
- Maninjwa, Prosecutor Mvikeli
- Authors: Maninjwa, Prosecutor Mvikeli
- Date: 2012
- Subjects: Computer security -- Management , Computer architecture , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9825 , http://hdl.handle.net/10948/d1020757
- Description: Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.
- Full Text:
- Date Issued: 2012
- Authors: Maninjwa, Prosecutor Mvikeli
- Date: 2012
- Subjects: Computer security -- Management , Computer architecture , Data protection
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9825 , http://hdl.handle.net/10948/d1020757
- Description: Information and the related assets form critical business assets for most organizations. Organizations depend on their information assets to survive and to remain competitive. However, the organization’s information assets are faced with a number of internal and external threats, aimed at compromising the confidentiality, integrity and/or availability (CIA) of information assets. These threats can be of physical, technical, or operational nature. For an organization to successfully conduct its business operations, information assets should always be protected from these threats. The process of protecting information and its related assets, ensuring the CIA thereof, is referred to as information security. To be effective, information security should be viewed as critical to the overall success of the organization, and therefore be included as one of the organization’s Corporate Governance sub-functions, referred to as Information Security Governance. Information Security Governance is the strategic system for directing and controlling the organization’s information security initiatives. Directing is the process whereby management issues directives, giving a strategic direction for information security within an organization. Controlling is the process of ensuring that management directives are being adhered to within an organization. To be effective, Information Security Governance directing and controlling depend on the organization’s Information Security Policy Architecture. An Information Security Policy Architecture is a hierarchical representation of the various information security policies and related documentation that an organization has used. When directing, management directives should be issued in the form of an Information Security Policy Architecture, and controlling should ensure adherence to the Information Security Policy Architecture. However, this study noted that in both literature and organizational practices, Information Security Policy Architectures are not comprehensively addressed and adequately managed. Therefore, this study argues towards a more comprehensive Information Security Policy Architecture, and the proper management thereof.
- Full Text:
- Date Issued: 2012
Navigating between information security management documents : a modeling methodology
- Authors: Domingues, Steve
- Date: 2010
- Subjects: Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9761 , http://hdl.handle.net/10948/1212 , Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Description: Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
- Full Text:
- Date Issued: 2010
- Authors: Domingues, Steve
- Date: 2010
- Subjects: Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9761 , http://hdl.handle.net/10948/1212 , Computer security -- Management , Business -- Data processing -- Security measures , Information resources management -- Security measures , Business -- Standards
- Description: Organizations no longer draft their own standards. Instead, organizations take advantage of the available international standards. One standard may not cover all the organization's needs, requiring organizations to implement more than one standard. The same aspect in an organization may be covered by two or more standards, creating an overlap. An awareness of such overlaps led to various institutions creating mapping documents illustrating how a control from one standard relates to a control from a different standard. The mapping documents are consulted by the end user, to identify how a control in one standard may relate to other standards. This allows the end user to navigate between the standards documents. These mapping documents are valuable to a person who wishes to grasp how different standards deal with a specific control. However, the navigation between standards is a cumbersome task. In order to navigate between the standards the end user is required to consult three or more documents, depending on the number of standards that are mapped to the control being investigated. The need for a tool that will provide fast and efficient navigation between standards was identified. The data tier of the tool is the focus of this dissertation. As a result, this research proposes a modeling methodology that will allow for the modeling of the standards and the information about the mapping between standards, thereby contributing to the creation of tools to aid in the navigation between standards. A comparison between the major data modeling paradigms identifies multi-dimensional modeling as the most appropriate technique to model standards. Adapting an existing modeling methodology to cater for the modeling standards, yield a five step standard modeling methodology. Once modeled, the standards can be physically implemented as a database. The database schema that results from the standard modeling methodology adheres to a specific pattern and can thus be expressed according to well-defined meta-model. This allows for the generation of SQL statements by a tool with limited knowledge of the standards in a way that allows the quick navigation between standards. To determine the usefulness of the standards modeling methodology the research presents iv a prototype that utilizes the well-defined meta-model to navigate between standards. It is shown that, as far as navigation is concerned, no code changes are necessary when adding a new standard or new mappings between standards. This research contributes to the creation of a tool that can easily navigate between standards by providing the ability to model the data tier in such a way that it is extensible, yet remains independent of the application and presentation tiers.
- Full Text:
- Date Issued: 2010
Governing information security using organisational information security profiles
- Authors: Tyukala, Mkhululi
- Date: 2007
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9788 , http://hdl.handle.net/10948/626 , Data protection , Computer security -- Management , Computer networks -- Security measures
- Description: The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.
- Full Text:
- Date Issued: 2007
- Authors: Tyukala, Mkhululi
- Date: 2007
- Subjects: Data protection , Computer security -- Management , Computer networks -- Security measures
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9788 , http://hdl.handle.net/10948/626 , Data protection , Computer security -- Management , Computer networks -- Security measures
- Description: The corporate scandals of the last few years have changed the face of information security and its governance. Information security has been elevated to the board of director level due to legislation and corporate governance regulations resulting from the scandals. Now boards of directors have corporate responsibility to ensure that the information assets of an organisation are secure. They are forced to embrace information security and make it part of business strategies. The new support from the board of directors gives information security weight and the voice from the top as well as the financial muscle that other business activities experience. However, as an area that is made up of specialist activities, information security may not easily be comprehended at board level like other business related activities. Yet the board of directors needs to provide oversight of information security. That is, put an information security programme in place to ensure that information is adequately protected. This raises a number of challenges. One of the challenges is how can information security be understood and well informed decisions about it be made at the board level? This dissertation provides a mechanism to present information at board level on how information security is implemented according to the vision of the board of directors. This mechanism is built upon well accepted and documented concepts of information security. The mechanism (termed An Organisational Information Security Profile or OISP) will assist organisations with the initialisation, monitoring, measuring, reporting and reviewing of information security programmes. Ultimately, the OISP will make it possible to know if the information security endeavours of the organisation are effective or not. If the information security programme is found to be ineffective, The OISP will facilitate the pointing out of areas that are ineffective and what caused the ineffectiveness. This dissertation also presents how the effectiveness or ineffctiveness of information security can be presented at board level using well known visualisation methods. Finally the contribution, limits and areas that need more investigation are provided.
- Full Text:
- Date Issued: 2007
Using agreements as an abstraction for access control administration
- Authors: Reyneke, André
- Date: 2007
- Subjects: Information -- control and access , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9791 , http://hdl.handle.net/10948/598 , http://hdl.handle.net/10948/d1011701 , Information -- control and access , Computer security -- Management
- Description: The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.
- Full Text:
- Date Issued: 2007
- Authors: Reyneke, André
- Date: 2007
- Subjects: Information -- control and access , Computer security -- Management
- Language: English
- Type: Thesis , Masters , MTech
- Identifier: vital:9791 , http://hdl.handle.net/10948/598 , http://hdl.handle.net/10948/d1011701 , Information -- control and access , Computer security -- Management
- Description: The last couple of decades saw lots of changes in the business world. Not only did technology change at a rapid pace, but businesses' views with respect to the role that information plays also changed drastically. Information is now seen as a strategic resource. This change paved the way for the so-called knowledge worker that not only consumes information, but actively participates in creating new knowledge from information. Employees must therefore be empowered to fulfill their new role as knowledge workers. Empowerment happens through job redefinition and by ensuring that the appropriate information is at hand. Although information is more readily available to employees, appropriate access controls must still be implemented. However, there is conflict between the need to share information and the need to keep information confidential. These conflicting needs must be reflected in the administration of access control. In order to resolve these conflicts, a finer granularity of access controls must be implemented. However, to implement a finer granularity of access control, an increase in the number of access controls and, therefore, the administrative burden is inevitable. Access control administrators must cater for a potentially large number of systems. These systems can not only be heterogenous as far as architecture and technology are concerned, but also with respect to access control paradigms. Vendors have realized that human involvement must be minimized, giving birth to so-called "provisioning systems". Provisioning systems, in principle, automate certain parts of access control administration. However, currently implementations are done in an ad hoc manner, that is, without a systematic process of identifying the real access control needs. This study aims to address this problem by proposing the "agreement abstraction" as a possible vehicle for systematically analyzing the access control requirements in a business. In essence, the agreement abstraction allows us to identify opportunities where access control can be automated. A specific methodological approach is suggested whereby the business is analysed in terms of business processes, as opposed to the more traditional resource perspective. Various business processes are used as examples to explain and motivate the proposed agreement abstraction further. This dissertation therefore contributes to the field of discourse by presenting a new abstraction that can be used systematically to analyse access control administration requirements.
- Full Text:
- Date Issued: 2007
- «
- ‹
- 1
- ›
- »