Publicité
Running head ROLE-BASED SECURITY  1ROLE-BASED SECURITY  2.docx
Running head ROLE-BASED SECURITY  1ROLE-BASED SECURITY  2.docx
Running head ROLE-BASED SECURITY  1ROLE-BASED SECURITY  2.docx
Running head ROLE-BASED SECURITY  1ROLE-BASED SECURITY  2.docx
Prochain SlideShare
Trust by Design: Rethinking Technology RiskTrust by Design: Rethinking Technology Risk
Chargement dans ... 3
1 sur 4
Publicité

Contenu connexe

Similaire à Running head ROLE-BASED SECURITY 1ROLE-BASED SECURITY 2.docx(20)

Plus de charisellington63520(20)

Publicité

Running head ROLE-BASED SECURITY 1ROLE-BASED SECURITY 2.docx

  1. Running head: ROLE-BASED SECURITY 1 ROLE-BASED SECURITY 2 Role-based Security Role-based Security The separation of duties within Kudler Fine Foods is important as it limits the amount of power any one individual holds (Gregg, Nam, Northcutt & Pokladnik, 2013). It also enables the management of conflicts of interest and the appearance of conflicts of interests, as well as prevents fraud. It requires that for certain sets of transaction, no single person will be able to perform all the transactions within the set (Ferraiolo & Kuhn, n.d.). As an example, fraud can be prevented in the handling of money by having one sales person take the order while another sales person marks the order as paid. On the other hand, someone from the fulfillment department would be responsible for shipping the product. By having different employees assume different duties for the handling of money, controls are put in place, which ensure the security and accuracy of the order information being entered into the system. Another example would be that the Department Manager’s duties would be separate and different from those of the HR personnel. While the Department Manager handles product or item requisitions, the HR personnel is responsible for hiring employees and classifying employees’ benefits based on their positions in the organization. By separating the duties of
  2. the Department Managers from those of the HR personnel, it can be ensured that only the qualified and authorized people are able to make product requisitions and are able to modify employee benefits, respectively. In the same regard, using roles to segregate data and system access among members of an organization will help ensure that only the authorized people are able to perform certain tasks. Roles can be likened to the employees’ positions in the organization while their level of data and system access can be likened to their duties. For example, only Department Managers should have access to the Inventory and the list of suppliers while only the HR personnel should have access to employee information. With these restrictions to system and data access, it can be ensured that an HR personnel will not mistakenly – intentionally or unintentionally – place orders for items that do not need replenishing. Similarly, it would ensure that Department Managers are not able to see the salaries of their fellow Department Managers and that they are not able to assign more benefits to their favorite employees. Comment by marjorie: How you implement this at Kudner Fine Foods? In this regard, a role-based access control system would be the best way of accomplishing this type of security as a role- based control system has the mechanisms that can be used for the enforcement of a policy of separation of duties (Ferraiolo & Kuhn, n.d.). It provides “a means of naming and describing relationships between individuals and rights” (Ferraiolo & Kuhn, n.d., p. 10), which in turn provides the organization with a secure way of meeting its secure processing needs. Although the design and implementation of a role-based access control system is quite challenging, it can be tailored to the organization’s security risk tolerance and business model (Guerin & Lord, 2003). It is also scalable and requires little maintenance, which makes it a cost-efficient solution. Moreover, this approach leads to increased efficiency and the maximization of strategic business value and operational performance. It can also lead to the automation and streamlining
  3. of many business processes and transactions, which in turn enable users to perform their jobs faster, better, and with greater personal responsibility. Comment by marjorie: Now apply this to Kudlner Fine Foods On the other hand, various techniques can be implemented in order to address distributed trust management issues for users who go to or from business partner networks. For example, in the distributed recommendation-trust model developed by Stephen Hailes and Alfarez Abdul-Raman, a conditional transitivity of trust is proposed. It hypothesizes that trust is transitive under certain conditions (Li & Singhal, 2007). It assumes asymmetrical trust and has two categories for trust relationships, namely direct trust and recommended trust. It uses different interactions for categorizing a trust relationship between two entities where trust in the various categories are independent of each other. Furthermore, it uses continuous trust values for recommender trust and direct trust (Li & Singhal, 2007). Another method for managing distributed trust management issues is the use of public-key cryptography (Li &n Singhal, 2007). With this method, a public-key certificate is issued by a trusted third party for the certification of a public key’s ownership. In particular, a certificate contains the identity of an entity, the public key, and other data, such as the digital signature of the trusted third party. It is assumed that service users know the public key of a third party, which enables the verification of the certificate. The third party vouches only for the association between a public key and an entity, not necessarily fort the entity’s trustworthiness. Comment by marjorie: How do you propose setting this up for Kudner. In conclusion, the separation of duties, which is represented by the rules defined in a role-based access control system, ensure the security of an organization through the restriction of any single user’s power or rights and through the prevention of fraud. Moreover, the implementation of a role- based access control system leads to a more efficient system
  4. and to increased user productivity. In addition, although the implementation of a role-based access control system can result in a distributed system, trust in such a system can be managed through the use of various techniques, such as the distributed trust-recommendation model and public-key cryptography. Comment by marjorie: How would you apply thei to Kudner Fine Foods? References Ferraiolo, D. F. & Kuhn, D. R. (n.d.). Role-based access controls. Retrieved from http://arxiv.org/ftp/arxiv/papers/0903/0903.2171.pdf. Gregg, J., Nam, M., Northcutt, S. & Pokladnik, M. (2013). Separation of duties in information technology. Retrieved from http://www.sans.edu/research/security-laboratory/article/it- separation-duties. Guerin, T. & Lord, R. (2003). How role-based access control can provide security and business benefits. Retrieved from http://www.computerworld.com/s/article/86699/How_role_base d_access_control_can_pr ovide_security_and_business_benefits Li, H. & Singhal, M. (2007). Trust management in distributed systems. IEEE. Comment by marjorie: This is not the entire source. I would like to read the article. IEEE has thousands of publications and proceedings.
Publicité