Job Design: Providing Strategic Decision Support for Risk Analysis and Policy Definition
Casassa Mont, Marco; Baldwin, Adrian; Shiu, Simon; Collins, Paul
Keyword(s): job design, policies, access rights, SoD, decision support, modelling, simulation, security analytics, policy analytics
Abstract: Strategic decision makers need to organize their workforce and define policies on how to allocate roles and rights to individuals allowing them to work effectively for the organization, whilst minimizing security risks. Many organizations have a separation of duty matrix specifying certain toxic combinations of access rights that they generally understand present an extreme risk. These matrices do not always contain some of the less understood or smaller risks. The flip side of the rights allocation problem is the need for an organization to keep systems running under various pressures including reducing headcounts. This tension often leads to a practice of providing skilled individuals with wide access rights to many systems. We describe this tension as the Job Design Problem. That is how to manage the trade-offs between allocating roles allowing for flexibility and the possible security impacts. It is not just a matter of technical "role engineering", access right allocation and Identity & Access Management (IAM) provisioning processes. Decision makers need tools that help them understand how to give guidance and set policies associated with role allocations and mechanisms to enable a debate between various stakeholders within the business, IT and Audit concerning the appropriate level of tradeoff and acceptable risk. In this paper, we aim at making progress in this field by presenting an approach and methodology to provide strategic decision support capabilities for the definition and assessment of policies in the context of Job Design. We focus on a problem provided by an IT department within a large organization, where employees (primarily IT admins and IT support staff) operate on sensitive and critical business systems and services. In this context, security risks are a major concern and need to be fully understood. Depending on the motivations and skills of the workforce, accidental or deliberate misuses of access rights and capabilities might take place and have huge economical and reputational consequences for the organizations. The decision makers (e.g. CIOs, CISOs) need to understand the implications and trade-offs of making job design decisions as wells as investing in additional/complementary controls, such as monitoring/auditing systems, IAM solutions, education or vetting/clearance programs. We describe a decision support solution based on modeling and simulation, to provide this kind of policy-decision support. This is work in progress. We present our current results and next steps.
External Posting Date: March 6, 2010 [Fulltext]. Approved for External Publication
Internal Posting Date: March 6, 2010 [Fulltext]