The Increasing Problems Of Controlling Access
•Descargar como PPT, PDF•
1 recomendación•464 vistas
This was a presentation I gave at the Information Week RMAA Seminar 2008. It was on the increasing problems of trying to control access within organisations, focusing on sensitive and classified information.
![Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (17)
Similar a The Increasing Problems Of Controlling Access
Similar a The Increasing Problems Of Controlling Access (20)
Último
Último (20)
The Increasing Problems Of Controlling Access
- 1. The Increasing Problems of Controlling Access Presentation to RMAA Seminar 13 May 2008 Kylie Dunn Knowledge & Records Manager Department of State and Regional Development
- 3. … but I digress…
- 4. AS ISO 15489 Requirements … both within an organization and to external users.
- 5. … assigning access status to both records and individuals.
- 6. … categorized according to their access status…
- 7. … specify access permissions to records relating to their area of responsibility.
- 12. Managing risk
- 13. Risk averse
- 16. Pre-digital age
- 18. The good old days?
- 22. Databases
- 26. Strong reliance on user
- 31. Safer than our own staff?
- 32. Loss of control
- 34. Staff need to get it right
- 37. Not all about systems
- 39. Access Models
- 40. ? ? ?
- 42. Hard to maintain accurately
- 43. Staff awareness
- 44. Storing
- 45. Transmitting
- 46. Cost of getting it wrong
- 48. Needs to be easy
- 49. Role of Records Staff?
- 50. Advisory
- 52. Training staff
- 53. Access Models
- 54. No quick fix
- 55. Managing risks
- 56. Technology helps
- 57. Access model is a must
- 58. Staff need to understand
Notas del editor
- Good afternoon everyone, today I’m going to examine how changes in the technology, systems and methods of recordkeeping and the communication of records require far more stringent access controls within an organisation, and how these requirements can be achieved through
- I’m going to examine the policy requirements for this sort of activity, look at the issues around applying access controls within certain systems and how technology is introducing new and interesting methods of risk in trying to control the transmission and storage of records. So after the doom and gloom of the problems I’ll then look at how the organisation can help itself overcome these problems and what the role of the records staff is in supporting technology, defining policies and training staff.
- But before we get into the nitty gritty of this a little divergence is probably in order. As ???? mentioned, I have only been in State government for a couple of months, after eight years with Defence – and after managing the records for an operational headquarters inside Defence for the last two years I’m enjoying the break. But I’m also very amused by the different attitudes within the two organisations towards controlling access to information, and my general feel at this point in time is that Defence was far better at sharing information within the organisation than my current department is, which I found very surprising – it would appear that the commercial nature of some of the work is seen as more problematic than national security. BUT I DIGRESS
- Onto policy. The recordkeeping standard makes the following points about Access: It’s about internal and external controls within an organisation.
- It’s applied to both elements – the records and the people. This can help an organisation establish who should have access and who shouldn’t, but can be problematic when you start discussing whether someone has a “need-to-know” – which is not as black and white as we would like it to be.
- That managing access ensures that records are categorised according to their accessibility as it is at a particular point in time – since access can (and in many cases should) change over time.
- And that the STAFF who are responsible for the business function are in the best position and should be given the responsibility of specifying the access.
- The Australian National Audit Office report of 99-00 investigated the status of security classification systems within government in detail. Among other things they found…
- That staff had a general lack of understanding about the classification system which resulted in incorrect classifications, or in the worst cases, no classifications.
- That the most common error was to err on the side of caution and over-classify records – which causes all sorts of other issues that I will discuss a little later.
- They also delivered a list of requirements for the organisation including creating policy, defining responsibilities, ensuring technological and physical securities are in place, developing procedures for policy implementation and developing and conducting training with staff.
- The policies, procedures and training are all risk management activities – that’s what we’re really talking about here – how do we best limit the risks of people gaining inappropriate access to your organisation’s records??
- Because you can’t be too risk averse in the development and implementation of your access control policies and procedures. This will result in policies that are unworkable or that make it very difficult for the staff to do their jobs, they can also be very expensive for the organisation to manage.
- And risk aversion will generally result in technology aversion – since you don’t want to open up electronic access to records, you want to keep everything locked away and controlled by the records staff. Technology aversion can make it difficult to enhance the abilities for the staff to create, store, retrieve and share (both internally and externally) – and staff are creative, so they will find ways outside of the accredited systems to do it if you don’t provide systems to support them. So this is not a good approach to take with your policies.
- Really, what we’re going to be talking about it developing policies, turning them into simple and easy to understand procedures and ensuring staff are adequately trained in them. These activities combined will formed a much more coherent and robust risk management strategy than aversion.
- So, in the “good old days” there was usually only one copy of the record, which was kept physically within the records area, or maybe at someone’s desk. Records were generally created in one way
- And could thus be far more easily access controlled, simply by applying physical restrictions the access – safes, locked cabinets, controlled registries.
- However there were issues in being able to search for and retrieve information when it was created and managed in a purely physical sense – but I guess since there was far less information the issue was not as pronounced as it would be today.
- In the digital age we create records in a variety of formats and in far greater volume than ever before. Electronic documents, emails, databases, websites, intranet sites all contain or need to be captured as records. And each of these systems can contain a variety of sensitive or classified information that needs to be controlled against inappropriate access. Just as the amount of information we deal with now has grown exponentially over the last decade – so to have the number of systems that we need to control access to that store that information. So what are these systems and what are the benefits and potential issues around trying to classify information within them and limit access to it?
- I’m going to start with the controversial one, because you and I both know that using a shared drive is not an accredited recordkeeping system and should not be the sole repository for records in any organisation. However, the fact of the matter is that this is where staff place their documents (that is when they aren’t squirreling them away in their H drive) and very few of the “records” that are stored on the shared drive ever actually make it onto a physical file, or into an accredited recordkeeping system. Further to this, even if the records are making it onto the file, the fact remains that they will still exist in the shared drive where they were created, and so we need to be cognisant of the access controls that are being afforded to this information. Permissions within shared drives can be very time consuming to manage properly (especially in organisations like the ones I’ve worked in where staff come and go regularly, or shift to other positions for a few months and so on). As well as this, these permissions are usually controlled by the IT staff, as they will normally lock down the standard user from not only changing folder access but being able to see who has folder access as well. That brings us to the low fidelity of access inside this system. Audit logs can be set up fairly well for a lot of functions in a shared drive but even if they are established they aren’t readily available to staff. So not only can you not see who can access or change a document you can’t even see who has accessed it or changed it. And lastly, the application of security classifications within this system is not easily achieved. It is not a drop down list, there is little metadata available inside a shared drive, so organisations will come up with a process that will work around the limitation. Headers and footers for the printed document are a great indication to anyone who opens it, but what if I’m emailing it out of the system and I don’t check to see whether it has handling instructions or a classification first?? Our policy is to put it into the Comments field in the document properties – how many staff do you think bother to do that, and how many others do you think bother to look?
- So we’ll move onto Electronic Document Management Systems – These fall into two categories – those that are part of a recordkeeping system like Objective or TRIM and those that are purely EDM systems like Hummingbird and Sharepoint. Either way both are a huge improvement on the shared drive, but the recordkeeping systems will generally offer greater metadata fidelity, management and control. They have far better auditing and usually have audit trails that are visible to the user – so not only does the system know exactly who did what and when they did it, but I can see it too. The application of privileges is usually easier, depending on how your organisation has it set up, and it can usually be devolved outside the IT administrators space, as it is usually not an “administrative privilege” as such. Users will often have the ability to see who has access privileges and what access they have, so staff can check the application of privileges in areas where they are placing sensitive information. It is also far easier to apply classifications (in all senses) as the document can have an often unlimited number of metadata fields assigned to it, which are searchable, reportable and displayable (if that’s a word). But there is still a major drawback with these systems, what happens when the record is taken out of it? What happens if I want to send it to Bob through the email, because I know Bob doesn’t have access to it inside the system. The metadata doesn’t stay with it, and depending on how I’ve taken it out of the system you may not know that I’ve done so. [by the way I have no advice or solution on how to solve that aspect of these systems, training staff how to do it correctly so the audit trail knows that it was emailed to Bob is one way, but as I’ve mentioned before - people are creative]
- And then we have databases… These are becoming more and more of an issue, since we seem to use databases for capturing so many official records now (when you get right down to it, recordkeeping systems are just databases for storing files and documents). The biggest issue with the development of databases for capturing records is that the IT staff, project team and developers seldom include records staff in the design and development process to make sure that the recordkeeping requirements are being properly addressed.
- As 01-02 ANAO report on recordkeeping states... these systems meant that there were gaps and these “Gaps in collection of recordkeeping information compromise an organisation’s ability to prove the authenticity, accuracy and integrity of their records and to manage their records efficiently and with appropriate protection.”
- The existence of systems like TRIM and Objective prove that databases can be built to deal with the compliance aspects of the Recordkeeping Standard. But it’s up to the developer or the project staff to ensure that these requirements are included in the scope for systems that will be responsible for the capture of official records (like our financial databases, HR databases, leave databases or the client database in my current Department). Anything is possible in development terms, if you have enough time and money, which we usually don’t. You can create a database which allows staff to tag every field with a different security classification, so that a user logging into the system without the correct clearance will not see those fields – but that means adding a classification field to every other field in the database, ensuring that you can capture the users clearances, being able to identify the user and then creating pages that only retrieve the information that user is cleared to see. Whilst that would work in 95% of national security classification situations it is not easy to apply to the In-Confidence side of things – access is usually a lot more complex than just a person’s clearance – and so we run into the “need-to-know” phrase which I’ll discuss later.
- And the last set of systems to examine are websites… Since a lot of websites (especially portal based technology) run on databases nowadays, we’ve already discussed some of the issues surrounding the technology, but we’ll go into this further. Pages and sometimes individual content or documents, can be locked down to limited sets of users through most content management systems, but that requires the database to know who you are. Without a content management system this becomes increasingly more difficult to achieve but technically anything is possible, as we’ve already discussed.
- The major issue with all of these systems which overarches all of their benefits is that they are reliant on the user to apply the correct security classification in the first place – otherwise the smartest system in the world will not know that they have to limit the access. And for systems like a shared drive, it is more complex as it relies upon staff knowing who can access certain areas, or contacting the IT area to ensure that folders are locked down, thus limiting their accessibility. Overall, there are two general scenarios that you will end up with: Either the staff will find it too difficult to mark their documents with the correct handling instructions so they will lock everything away in their H drive so it is all safe. Or the staff will decide that it’s all too hard (working out when to apply handling instructions and who should have access and so on) so they will simply not apply any. This means that they have not limited access, or advised other staff on the potentially sensitive nature of a record
- If controlling access to records inside your internal systems is this complex then what about when staff take that information and send it to someone else? This is becoming increasingly problematic as you lose a lot of control over a record when it leaves your recordkeeping system, and relinquish complete control when it leaves your organisation. So how can you guarantee that it is still being afforded the correct access controls?? In short, you can’t, but let’s look into it a little further…
- I don’t know about you, but I would happily turn email off within an organisation – it is generally a poorly managed communication tool that is used inappropriately as an information storage device that heavily restricts the discoverability of information within the organisation and is an extremely inefficient form of collaboration and communication (often resulting in large amounts of duplication, redundancy and numerous back-and-forth to resolve something that a five minute phone call would have achieved just as well, if not better). It has a place, but most organisations don’t know what that place is… that’s my little rant for the day So what are the issues around communicating records through email… they all involve security of the records you have sent (and since we’re really talking about sensitive records here this is a major problem). Do you know who has access to the inboxes you have sent it to? Many people will open proxy access to their inbox up to other staff during their absence, or if they work in close teams. How do you know who ELSE has seen the document? And once it has left your space how do you ensure that they store it appropriately and afford the correct access controls within their space? How do you know they haven’t sent it on to someone else. And then there is the security aspect of some of these communications. Where is the email actually going? Gone are the days when you knew that Mary was sitting in her office on her PC when she opened your email, how do you know she isn’t Blackberry on a train, Starbucks wirelessly using their internet access to get her webmail, public machine at the airport accessing her Google Mail And all of these technologies carry inherent risks with them, even sending an email out to Mary sitting at her PC has an inherent risk, as you don’t know how good her firewall is, and who might be able to intercept the document. A photocopy was never as easy to intercept, not as easy to store in an inappropriate location and certainly not as easy to inadvertently send out to the world (Reply to All). It was still possible to send information on, to make it available to others (faxing to a heap of people and so on) but it was not as easy. Mention photocopying at Rank
- The “Cloud” is that ethereal network, the world wide web, electronic communication through wireless technologies and so forth. The Cloud allows an organisation a huge amount of flexibility in the way they can conduct business – the cloud is also a security nightmare, for most of the reasons I mentioned in the last point about email.
- Millions of records are compromised each year through the internet – in 2006 the reported figure was 20 million records – the incident referred to in this article helped bump the 2007 figure up to 74 million (or for other figures released from by Attrition.org 49 million up to 162 million). Regardless the figures are scary, and given that one of our websites suffered a hack attack on Monday night that took it offline for about eight hours – this is not hype.
- However, according to the World Information Access website in a 2007 article - Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45 percent, while 27 percent of the volume is attributed to organizational mismanagement and 28 remains unattributed. But in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors.
- Again it reinforces the need to be technologically aware of situations, ensure that your staff understand the inherent risks associated with communicating sensitive (and non-sensitive) records but to not become technologically averse as a risk management solution. In the end we need to accept that there will be a loss of control of these records, and hope that trust will not be misplaced with those people receiving them. Policies also need to state that staff must positively identify the handling requirements in the email, to try to stop the receiver from mismanaging the information – Federal government has the [SEC=XXX] subject line inclusion to identify the sensitivity or security of the enclosed information – but again it is up to staff to apply this appropriately.
- So where do the organisational policies, individual skills and knowledge of the staff to appropriately mark information come into this, and what are the implications.
- The ANAO provided the following insight in their 99-00 Report on classification: “Over-classification has the effect of increasing the costs of protection and restricting the flow of information within the organisation. In addition, there was sensitive material at each of the organisations that had not been classified when it should have been. This material was held in both hardcopy and electronic form. Furthermore, staff normally only classified work that they had created themselves, as there was little indication of classifications being applied to information received from external sources. Finally, documents not placed on official files were not generally classified.”
- So the problems with Overclassifying are… That there are increased management burdens placed upon the organisation, which adds to the cost of storing and managing records as well. For instance, a SECRET file needs to be kept in a C class cabinet, which is basically a safe. Whereas a RESTRICTED file can be kept in a filing cabinet or even on someone’s desk if the building is appropriate. Thus they are far easier to store and manage. And when you think about the inactive files that need to be kept in a secure repository, the cost can be very significant. Also moving classified files requires accredited companies, whereas staff can easily carry unclassified files around (without the need for two staff, a briefcase and other physical protective requirements). And then there are the less obvious costs to the organisation. The inability to share information with staff because it has been classified outside of their access can impact the decision making within the organisation, and the efficiency of staff to be able to perform their duties. So what if I’ve inappropriately placed unclassified information on a classified file? What if I’ve classified it too high? The administrative assistant might have only been deemed to need a Confidential clearance, and I’ve just classified documents out of her access, which might be a pivotal part of her job.
- But under-classifying information is just as dangerous to the organisation. It might not cost more in operational costs, but not affording the correct access to a record could have more serious impacts. Breaches of Privacy Acts, releasing commercial-in-confidence information or breaching national security requirements can all lead to a loss of reputation, court action or other such detrimental actions being taken against the organisation. A handling marking will ensure that any other staff that have been afforded access to that record will know how to deal with the information appropriately, if it has been under-classified or not classified at all then you are leaving it up to staff to make their own judgement decisions, which may perpetuate the non-legitimate access.
- Just as we shouldn’t be technologically averse we also shouldn’t be guided by the opinion that technology can solve all of these problems. I hope that I have made enough of a point that this relies on people classifying the information, and people doing it right.
- But, technology can certainly help an organisation protect information from unauthorised access and editing. This can be done in two main ways: the IT staff can group staff and apply access controls within databases, EDMs, shared drives and websites, and Staff can appropriately inform others of the security requirements surrounding the information by marking the document/data or by capturing the requirements in metadata. The problem with using metadata is that it can be foreign and unworkable for staff to assign the classification, and for other staff to look for and identify that one has been applied. At the end of the day, all systems are only as good as the people using them. Just as we are reliant on staff to put information in the right folder/file, apply the right keywords and so on, they are required to apply the correct classification.
- And the more numerous and complex our systems become, the harder it is for people to maintain an overarching understanding of who has access to what, especially with so many staff movements in the workplace now. This is where the Access Model comes in as a way of positively managing the policies around access to records, defining and capturing the groupings of staff and trying to improve the understanding of the recordkeeping staff, other staff members and…
- The poor IT helpdesk staff that usually end up with the bulk of the responsibility of looking after all of this stuff.
- This is the basic anatomy of an access model. It should identify the system – what it does, who is responsible for the management and support of it and the software it sits on – importantly this needs to include the system owner, and any other persons that can approve alterations in a staff members access within the system what the security requirements of that system are (so what level of information can be placed into it) general policy overview (so things like, individuals will not be given access to folders only groups can be given access and individuals will belong to the groups) A list and definitions of the user groupings within the system – especially highlighting those that will have restricted access A list of exceptions to the rules defined in the policy area (as there are always exceptions) Definitions of what each of the permissions in the system means (read, write, create, delete etc. they don’t always mean the same thing) What permissions have been allocated to what groups against what folders/containers/records
- As you can see from that list, these things are hard to maintain – which is why you do not include individuals in anything – your list of permissions is against GROUPS, which means that this document can remain a lot more static. In an appendix or working document you would maintain a list of who was in what group. It also helps to clearly define the process that staff must undertake when changing positions or leaving the organisation so you can ensure that their access is changed accordingly – smaller organisations are quite simple but once you get over a hundred staff there need to be formal processes.
- So finally we get onto the staff – they need to be trained about their requirements in relation to the protection of records within the organisation. The only way to ensure that the staff are applying the appropriate controls on records, and that they understand what those controls actually mean is to train them. Since this sort of topic is about as interesting to staff as every other aspect of records management, this is not an easy job. It also has to be made very relevant to them and their information. Overall they need…
- to understand the issues around why it is important to classify the information when they store it and how their failure to classify may allow unauthorised access, but if they over-classify they can hinder the organisation financially and operationally.
- They need to understand the issues around electronic communication – what is safe and what isn’t – so they can adequately evaluate when they should and should not be doing it.
- They need to understand the classification scheme, what needs to be afforded security protection and what doesn’t. They need to understand the difference between classifying inside and outside the organisation. For instance, within my Department we may place a Client’s information in a Commercial in Confidence file, because we are working on a business proposal with them that contains a lot of their financial information, business plans and other documents that are commercially sensitive. This marker helps people inside the agency know that they should not be openly discussing the contents of the file with personnel outside the organisation. BUT there are other agency staff that might have a need to know about this activity, and how it might affect competitiveness of a particular industry sector. So even though they are not working on the project itself they will need access to the information. The sensitivity of the information is really for external release, the markings limit releasability outside the Department, inside the Department the handling instructions (caveats) are an indicator to staff about how they should manage the information, not a way to hide it from them.
- And then they need to understand that the “need-to-know” is not the overriding decider for all records within the system. It should be used sparingly, because as I just mentioned, they may not be aware of how much their current project will impact on other staff, and if they keep it too close hold then it can have as damaging an effect on the organisation as allowing too many people to know it. The good old military saying “loose lips sink ships” is important to remember in an organisation, but it should be tempered by the fact that you should be able to trust the staff within your organisation to do the right thing – and as long as you know that they’ve been trained as well as you then this should not be an issue.
- LASTLY, it needs to be easy and intuitive, or else they won’t do it, and that really is the bottom line. We all know this, as records staff, that staff are seldom malicious in their negligence with managing their information – more often than not it’s apathy or laziness and the more difficult it is the less chance you have.
- So what do I see as the role of the records staff in all of this, because this is a complex issue that requires input from a variety of skills within the organisation. Well I see that the records staff have…
- an advisory role within the organisation in relation to access controls. The creation of labelling and handling policy will normally be done by an information security type role within the organisation, as it relates to a lot of other things, not just records security. So I’m not saying that records staff should be creating these policies, but they should be consulted to ensure that the decisions made are not going to have an adverse impact on the ability of staff to create and store records correctly or the records staff to be able to manage, retain or dispose of them. The advisory role should also extend to the development of any system within the organisation that will be treated as a records repository – be they the Records systems, EDM systems, databases, websites or even the dreaded shared drive. This will ensure that developers consider compliance issues around recordkeeping and don’t create systems that allow for gaps in the corporate record.
- Records staff should ensure that the labelling and handling policy is incorporated in current recordkeeping procedures, or that new procedures are written to assist staff in understanding how to classify information correctly so that it can be more easily access controlled as required.
- I also see that the Records staff have a strong training role with this… as with all aspects of records. This is probably the hardest part to achieve, since most people seem to consider recordkeeping training as painful as water torture, but it is a requirement. And as the ANAO reports indicate, this is something that staff generally do not do well due to a lack of understanding.
- Lastly, I see that the records area should be responsible for the development and maintenance of access models for the recordkeeping systems within the organisation (and by this I mean that actual recordkeeping systems like Objective and TRIM). They should also be advising other elements of the organisation on the development of access models for systems that have a recordkeeping function (like the HR database), but since the retention of records is more of a secondary function for these systems I don’t believe that the records staff should be responsible for all Access Models.
- So what am I hoping you will take away from this presentation? This is a complex area of recordkeeping that there is no quick fix to overcome (not that I think there are any quick fixes in recordkeeping unfortunately). It is made all the more complex by the constant enhancements to technology, lack of consultation with records staff about systems and that it relies on staff to understand and apply very dry policy.
- Applying access control to records is a risk management activity that requires policy, procedures and training, not a culture adverse to technology and sharing.
- Technology can assist records staff greatly, but it is not the silver bullet that will solve the problems (and sometimes it can make them worse)
- With an ever increasing amount of complex systems coming into an organisation there is a distinct need to create and maintain access models for recordkeeping systems, as they are the best chance of maintaining positive control over access, and providing guidance to IT staff on how they can and cannot apply access within the system.
- At the end of all of this, STAFF need to understand. And this is a double-edged statement: All staff in the organisation need to understand what the policies are in relation to confidential, sensitive or classified information, they need to understand and be trained in the procedures for evaluating records and applying the correct classifications to them and they need to be held accountable for getting it wrong. It also means that the records staff need to have the same level (if not slightly higher) of understanding about the policies and procedures, but more than this, they also need to understand how the “systems” work to support the policies. The requirement for records staff to have strong IT skills is becoming increasingly important in a world where a significant amount of records are retained in IT systems.