Information Risk in Financial Institutions: Field Study and Research Roadmap
Large financial firms with thousands of employees face many challenges ensuring workers have access to the right information, yet controlling access to unneeded data. We examine the problems of role lifecycle management and entitlement review processes in the context of large financial institutions. We describe observations from field study research in both retail and investment banks. We examine technologies to enable role and entitlement management and present a roadmap for future research.
KeywordsAccess control information risk entitlement provisioning matrixed organizations organizational complexity
Unable to display preview. Download preview PDF.
- 1.Johnson, M.E.: A Broader Context for Information Security. Financial Times 4 (September 16, 2005)Google Scholar
- 2.Scott, D., Andrijcic, E., Johnson, M.E.: Costs to the U.S. Economy of Information Infrastructure Failures: Estimates from Field Studies and Economic Data. In: Proceedings of the Fifth Workshop on the Economics of Information Security, Cambridge University (June 2006)Google Scholar
- 3.Johnson, M.E., Goetz, E.: Embedding Information Security Risk Management into the Extended Enterprise. IEEE Security and Privacy, pp. 16–24 (May–June, 2007)Google Scholar
- 4.Anderson, R.E.: Matrix Redux. Business Horizons, pp. 6–10 (November–December, 1994)Google Scholar
- 5.Burns, L.R., Wholey, D.R.: Adoption and Abandonment of Matrix Management Programs: Effects on Organizational Characteristics and Interorganizational Networks. Academy of Management Journal 36(1), 106–139Google Scholar
- 6.Ferraiolo, D., Kuhn, R.: An Introduction to Robe-Based Access Control. NIST/ITL Bulletin (December 1995), http://csrc.nist.gov/rbac/NIST-ITL-RBAC-bulletin.html
- 7.Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
- 8.Li, N., Mitchell, J.C.: RT: A Role-Based Trust-management Framework. In: Proceedings of The Third DARPA Information Survivability Conference and Exposition (DISCEX III) (April 2003)Google Scholar
- 12.Smith, S.W., Masone, C., Sinclair, S.: Expressing Trust in Distributed Systems: the Mismatch Between Tools and Reality. In: Forty-Second Annual Allerton Conference on Communication, Control, and Computing (September 2004)Google Scholar
- 13.Bridgestream, Products (2006), http://www.bridgestream.com/products.php
- 14.Donner, M., Nochin, D., Shasha, D., Walasek, W.: Algorithms and Experience in Increasing the Intelligibility and Hygiene of Access Control in Large Organizations. In: Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security, Kluwer, Dordrecht (2001)Google Scholar