Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Jul 11, 2013

SMotW #65: information access control maturity

Security Metric of the Week #65: information access control maturity

Controlling access to information - permitting authorized and appropriate access while denying or preventing unauthorized and inappropriate access - is undeniably a core concern in information security.  It's pretty much all that old-skool IT security tried to achieve in terms of controlling access to data.  Back then, the overriding concern was confidentiality.  

These days the scope of our activities is much wider.  Restricting access to information remains important, but we also appreciate the need to disclose and use information where appropriate.  A data file locked away in a high security vault is certainly confidential but in most cases there's not a lot of point denying it to third parties unless we can use it (i.e. it is available to us as and when we need it) and unless it is sufficiently accurate, trustworthy, complete and up-to-date (the integrity property).  

If management expressed an interest in this area, how would you actually go about measuring your organization's approach to controlling access to information?  Stop and think about that for a moment before you read on.  Seriously, imagine you have been asked to develop a suitable access control metric for the CISO's information security dashboard, one that will be reported to and discussed by the C-suite every so often.  Exactly what would you measure, how, and why?  

If you already have a suite of security metrics in place, go check what (if anything) you are using to measure and report access control.  Go on, it'll only take a moment.

There's a fair chance you are using numbers from the IT systems concerning technical access controls.  'Rate of detected access violations' is an example, something you can probably glean from the security logs on your servers.  Fair enough, the rate gives an indication that people are (presumably) attempting and (presumably) failing to access files, disks, memory space, IT systems, network ports or whatever.  Similarly, intrusion detection/prevention systems can automatically spew forth metrics such as 'rate of attempted intrusions' that were detected and (presumably) blocked.  Neither of these technical measures tells you how many invalid, unauthorized and inappropriate access attempts succeeded, however, if they were not detected as such.   They are rather narrow, limited metrics.  They may be of some interest and utility for information security people and systems/network managers in fine-tuning the technical access controls, but as far as higher levels of management are concerned, they don't mean much and aren't much use to manage the organization's information security risks as a whole.

Other access control metrics might relate to the processes associated with controlling access, for instance many of the activities performed by Security Administration.  The rate of provisioning of user IDs, resetting user passwords, changing access rights and so on could be measured from Security Admin's job ticketing system, perhaps even counting how many forms they process each week.  Again, the measures are perhaps of use to the Information Security Manager or Head of Security Administration but not much beyond that.

Yet another measure might be the number of system accounts held by employees - we discussed that metric a long time ago ...

... We could go on, but hopefully that's enough to give you a flavor of the variety of ways to measure access control, and the limitations of many of the measures taken in isolation.

Acme Enterprises Inc. has considered a different approach, a kind of measure-of-measures - a higher-level metric that gives senior management an overview of all the different elements involved in controlling access to information.   Specifically, they have evaluated a maturity metric.

We have described the maturity metric approach before in relation to measuring security policy management, physical security, human resources, and compliance.  The access control maturity metric assesses the organization's status by reference to a notional maturity scale for each type of control.  It is quite straightforward for someone with professional experience of a wide variety of access controls to develop the maturity scale, especially with the benefit of applicable standards and guidelines in this area.  Acme's version has 4 scoring points on a continuous scale, ranging from no control whatsoever to outstanding control (best practices, you might say).

Take the line for access control policies, for instance, one of several rows used in the access control maturity metric.  The scoring points on this line are:
  • 100%: "Access policies are formally defined for all systems by information asset owners.  The rules are proactively implemented, confirmed, maintained, monitored and periodically reviewed by a dedicated Security Administration function."
  • 67%: "Access policies and rules are well defined, implemented and maintained on most systems, including all sensitive/critical systems, with some compliance activities such as exception logging."
  • 33%: "Access policies or rules are partially defined and implemented on some systems (e.g. controlling logical but not physical access) but are generally not well maintained."
  • 0%: "There are no access policies or rules of any description."

[For the rest of the table, please refer to Appendix H in the book.]

The PRAGMATIC ratings for this metric tell a tale, as always:


The lowest rating, for Actionability, merits 70% because although the overall access control maturity score is not directly actionable, the detailed row-by-row scores are, to some extent.    In the managers' minds, this metric is highly Relevant to information security, implying that they feel access control is essential.  With an overall PRAGMATIC score of 86%, this is clearly a strong candidate for Acme's information security metrics system.