DISPOSITIVOS EMISORES Y RECEPTORES DE LA LUZ

The focus of this subsection is on access control-based questions, which are explored next.

 Question 5.2.4 – Does your business role require you to access the system from outside the organisation?

The purpose of this question was to place the number of business roles that need external system access so as to understand ISDD risk through devices used to access the system in such cases. Measurably, in Figure 6.7, end-users that require external access are shown and the accompanying explanation thereafter.

Figure 6.7: Need for external access to the system by employees

Organisation X – End-users were asked about the need to access the system

externally according to their business role. Sixty-eight per cent declared that they do not require access at all. However, 26% sometimes require access, with only 5% of those who exclusively need access all the time.

Organisation Y – Over the same question, respondents in Organisation Y fared

differently, as 39% need access to the system externally sometimes, whereas 33% do not need access. It came to light that 22% need access at all times, while 11% need occasional access as well.

13 5 0 1 6 7 1 4 4 14 0 9

Not at all Sometimes Occasionally All the time

Need for External Access by Role

129

Organisation Z – In this organisation, the majority of the respondents (55%)

sometimes need external access to the system, while the second-largest number of respondents (33%) need access at all times. The least group (15%) has no need for access at all.

 Question 5.2.6 – Which access channels do you use to access the system when you are outside the organisation?

In this question, the focus was on all end-users whose business roles and functions require them to access the system externally. It had to be established what kind of access technology they make use of and how the system manages access in relation to authentication and isolation according to roles and responsibilities which constitute ISDD critical success factors. Figure 6.8 depicts the findings.

Figure 6.8: External access channels used by end-users

Organisation X – According to Figure 6.8, half of the respondents (50%) who use the

system externally do so through the Internet, whereas 13% use VPN, 4% RDP, and the second largest (21%) use the traditional telephone method.

Organisation Y – In Organisation Y, it is shown that 53% resort to the Internet for

external access, with the second most (26%) using RDP, while 11% each prefer VPN and telephone.

Organisation Z – The response for Organisation Z was as follows: 58% uses the

Internet, 35% uses telephone, and 6% uses face-to-face (F2F) channel.

12 3 1 5 3 10 2 5 2 0 18 0 0 11 2 0 5 10 15 20 Internet VPN RDP Telephone F2F Nu mb er o f Res p o n d ent s

External Access Channels to System

130

 Question 5.2.7 – Which access channels do you use to access the system internally?

The purpose of this question was to highlight how end-users access the system internally including physical restriction to information resources which are all part of factors that ISDD is measured on. Figure 6.9 demonstrates the outcome graphically and the interpretation comes thereafter.

Figure 6.9: External access channels available to the system

Organisation X – In Organisation X, 17% of the respondents use the Internet to

access the system internally, 4% VPN, 17% telephone, 4% face-to-face, and 58% intranet.

Organisation Y – Respondents in Organisation Y responded as follows: 32% uses

the Internet, both RDP and VPN are at 8%, 20% uses telephone, 8% uses the face- to-face channel, and 24% uses intranet.

Organisation Z – Organisation Z presented the following responses: 26% internet,

VPN and RDP both 7% each, 19% telephone, face-to-face channel at 10%, and finally 28% intranet. 0 2 4 6 8 10 12 14 Nu mb er o f Res p o n d ent s

Internal Access Channels

131

 Question 5.2.8 – In accordance with the access channels available, which authentication do you use?

The essence of this question was to investigate authentication methods available to the given access methods to analyse access control as a basic of ISDD measurement. Statistically, Figure 6.10 illustrates the outcome, and further to that, discussions are detailed around authentication.

Figure 6.10: Authentication type used by end-users accessing the system

Figure 6.10 indicates all organisations (X, Y, Z) use the same authentication methods when accessing the system, both internally and externally. Organisation X showed that 94% of the respondents used a password with one other unstated method. Organisations Y and Z had a 100% password use response.

 Question 5.2.9 – In your opinion, does the organisation’s system limit your access to what is relevant to your work scope?

The purpose of this question was to enquire from end-users how they felt over the access restriction rendered by the system in relation to their business roles and functions.

Password Biometric Interactive Voice Recognition Smart Card Other 17 1 15 28 Number of Respondents

Authentication methods

132

Figure 6.11: Access control according to business roles

Organisation X – From the responses in Figure 6.11, close to half of the respondents

are of the opinion that the system does not limit their access according to their work scope, while 32% of them strongly disagree and 16% disagree. On the contrary, 21% of them think the system limits them according to their work scope, whereas another 21% of the respondents think they are not sure. The last group thinks strongly that the system limits them accordingly.

Organisation Y – In Organisation Y, 39% also strongly disagree with the fact that the

system limits them to what is relevant to their work scope. A further 39% also disagrees, and contrary to that 22% agrees.

Organisation Z – In this organisation, 37% of the respondents strongly disagree, 42%

disagree, 7% are not sure, and only 15% agree to the fact that the system limits them according to the relevance of the resources to their work.

 Question 5.2.13 – Which physical access restriction method to information resources do you use in your business function?

Fundamentally, here the physical partitioning of business roles and functions was the objective especially to control physical access to information resources – a quality necessary for ISDD. Figure 6.12 highlights the statistical responses and a discussion continues thereafter. 6 3 4 4 2 7 7 0 4 0 10 11 2 4 0 Strongly Disagree

Disagree Not Sure Agree Strongly

Agree Nu mb er o f Res p o n d ent s Access Control

133

Figure 6.12: Physical access control techniques

Organisation X – Fifty-three per cent of the respondents use access cards in order to

physically access information resources within the organisation. Further, 32% resort to keys, and the minority (16%) operates in open policy workspaces.

Organisation Y – This organisation has 65% of staff using keys to access information

resources, 12% uses biometrics, 12% uses access cards, and another 12% uses other methods not mentioned.

Organisation Z – Keys are the most prominent at 40%, while 36% of the respondents

indicate they operate in open policy offices, and 24% uses access cards.