Coping with Access Control Requirements in the Context of Mutual Dependencies between Business and IT

Abstract

IT security is ever more important due to rising cybercrime incidents, obligatory security laws and the need for organization-wide security strategies. Consequently, the business level of an organization, service design managers and compliance managers according to ITIL, have to focus increasingly on: a) compliance to the rising amount of laws, b) organization-wide IT security and c) the establishment of security strategies to secure critical business data. Therefore, a close cooperation with the IT is needed. This paper proposes an approach to close the gap between the business level and the IT with focus on access control requirements, coming from the business level. The approach eases the role engineering process for role based access control and establishes a traceability between business processes and access control requirements as well as enterprise architectures. Furthermore, it increases the compliance between enterprise architectures and access control requirements from business processes and allows understanding the mutual dependencies of business processes, access control requirements and enterprise architectures in evolution scenarios.