Access rights as a part of information security in enterprises

Abstract

This paper highlights the problem with access rights as a part of information security in enterprises with many information systems and their human users. In many organisations, users often write down their user names and passwords, thus enabling outsiders to enter information systems without proper authorisation. Furthermore, access rights commonly remain active after their possessors have left the organisation or after roles in the organisation have changed. In addition, there are instances in enterprises where access rights are managed with severe deficiencies. In this study we discuss a case where this issue was found out to be in a critical state when the organisation planned to extend and specialise its business abroad. Literature exposed several approaches and concepts to be concerned with. In our paper, we introduce how we approached the problem with a pragmatic contextual view. Based on prior research we explored access rights perceived in the enterprise with the help of a pre-study in the mode of a semi-structured questionnaire. The design science based framework described by Hevner et al. (2004) provided us with a solution that satisfied the enterprise in its information security efforts. Instead of describing the artifact, we highlighted the usability of the framework in real life and explained how we applied it in our research project.