ACCESS CONTROL


What is Access Control?

Access Control provides methodologies to ensure access to information is controlled in order to preserve confidentiality and integrity of information.

Three models may be followed:

  • Role-based access control – where access to information is based on professional role (e.g. Chief Investigator, Clinical Trial Co-ordinator, Facility Manager, Postdoctoral Researcher, PhD student, etc.)
  • Group-based access control – where access is based on membership in a working group (e.g. a research group; a consortium undertaking a clinical trial)
  • Discretionary access control – where a user with legitimate access to information (e.g. a Data Custodian/Steward who is responsible for stewardship of a particular dataset), can grant access to other users who have no previously established relationship to the information, (e.g. if appropriate access conditions have been met such as approval from a Human Research Ethics Committee).

Parts of an access control service include managing business rules for controlling access; assigning roles to users; associating users to groups; revoking user access privileges, and authorising users.


Under what circumstances is Access Control required?

An access control regime should be used at any time when confidence is required that access to information is only given to specific authorised users.

For shared IT systems (i.e. those that provide for the storage and computation of data that is owned or managed by a number of users on a common infrastructure), access control is a critical process because it enables access to be granted to data items held on the system only to qualified users, groups of qualified users or types of qualified users.


How is Access Control achieved?

There are two common methods:

  1. An ‘Access Control List’ is used which lists the permissions attached to every object (i.e. a file, folder, script, etc.) and specifies which users can be granted access to the object and what they can do with it, i.e.:
  • ‘read’ (view the contents of the object),
  • ‘write’ (make changes to the contents of the object), or
  • ‘execute’ (i.e. run the object (e.g. if it is a script or program).

2. Role-based access control (RBAC) is used to restrict system access to authorised users. In this approach, roles are created for various job functions and the permissions to perform certain operations are assigned to specific roles. System users are assigned particular roles, and through those role assignments acquire the permissions to perform particular functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user’s account

It is a requirement of either to be managed by a systems administrator.


What are the Australian Standards for Access Control?

The Australian Signals Directorate (ASD) provides extensive guidance to Commonwealth entities surrounding standards to safeguard data ranging in different levels of sensitivity, from “unclassified but sensitive or official information not intended for public release” (UD), through “protected” (P), to “Top Secret” (TS). Associated security controls are outlined in the ASD’s Information Security Manual (ISM).

Whilst it is only Australian Government agencies that are required to adopt the ASD controls outlined in the ISM, the controls also provide a useful framework for non-government organisations to consider when protecting data that ranges across various levels of sensitivity. Data of this type includes Personal Health Information that contains identifying aspects which is considered to be both “sensitive”[1] and “protected”[2].

The following ASD controls are issued for agencies in protecting data that are considered “unclassified but sensitive or official information not intended for public release” (UD) or “protected” (P).

Access Controls

ASD Control: 0856; Revision: 3; states that Users’ authorisations must be enforced by access controls.

The ASD suggests that the following process can assist in developing access controls:

  • establish groups of all system resources based on similar security objectives
  • determine the information owner for each group of resources
  • establish groups encompassing all users based on similar functions or security objectives
  • determine the group owner or manager for each group of users
  • determine the degree of access to the resource for each user group
  • decide on the degree of delegation for security administration, based on the internal security policy.

Privileged Access

ASD Control: 0445; Revision: 5; states that agencies must restrict the use of privileged accounts by ensuring that:

  • the use of privileged accounts are controlled and auditable
  • system administrators are assigned a dedicated account to be used solely for the performance of their administration tasks
  • privileged accounts are kept to a minimum
  • privileged accounts are used for administrative work only
  • passphrases for privileged accounts are regularly audited to check they meet passphrase selection requirements
  • passphrases for privileged accounts are regularly audited to check the same passphrase is not being reused over time or for multiple accounts (particularly between privileged and unprivileged accounts)
  • privileges allocated to privileged accounts are regularly reviewed.

[1] The Commonwealth Privacy Act (1988) http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act) defines what is considered personal and sensitive information in Australia. Personal Information means information about an identified individual, or an individual who is reasonably identifiable, and of relevance to med.data, Sensitive Information includes: Information about an individual’s Racial or ethnic origin or Sexual orientation or practices; Health information; Genetic information and Biometric information.
[2] The US HIPPA Privacy Rule (http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html ) defines protected health information” as individually identifiable health information, including identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Genetic information is considered to be health information.