WEEK 5
ASSIGNMENT – ACCESS CONTROL
MATRIX DEVELOPMENT
PU R POSE OF ASSI GN MEN T
This assignment is the second step in developing your portfolio project. You’ll start by
identifying the access that’s needed for employees throughout CreditWon’s credit card
operation centers. You’ll be developing a matrix that shows Business Roles in the first
column, followed by the privileges for that role.
SC EN AR IO
CreditWon Inc. is a Visa credit card issuer for college graduates and first-home buyers.
They offer affinity discounts and special deals to their customers related to items and
purchases that college grads typically make and have a lower threshold for granting
credit to applicants. CreditWon has 14,000 employees nation-wide across all roles, as
well as five Operations and Processing Centers.
CreditWon operates the entire process for credit card operations, including:
• Application processing
• Card issuance
• Billing and collections
• Fraud investigations
• Telephone and web service (first line)
• Customer Service (second line for issues that cannot be resolved on first attempt)
• IT (application development, operations, enterprise architecture, office of the CISO,
desk-side support, etc.)
• Human resources
• Accounting and Finance
CreditWon uses an information classification scheme to appropriately handle, manage,
and store business-related information:
Level 1, Public: No need for rigorous protection.
Level 2, Internal: Business information for daily operations, including purchase orders,
billing data, employee basic information, etc.
Level 3, Sensitive: Customer nonpublic information (NPI), including SSNs, credit report
data, sensitive employee data, protected business information, etc.
Level 4, Highly Confidential: Corporate future plans, unpublished financial statements,
trade secrets, etc.
Today, CreditWon uses a variety of mechanisms to control access to computing
services from a series of acquisitions made over the years for functions and processing
that were brought in but never fully integrated into the back office systems, which are
based on Microsoft products. Access Controls are granted using Discretionary Access
Controls (DAC) implemented as Access Control Lists (ACLs) on EACH application that
internal users require to perform their duties.
Since CreditWon is a large call center, there is a high volume of turnover and seasonal
hiring corresponding to college graduations around the country. Each time an employee
is hired, leaves, or moves to another position, every ACL that contains their rights must
be updated, leading to many errors in which privileges that should be removed are not
or where privileges that are needed are not granted. Account Administrators in the
business unit and the Security Team are increasingly strapped for time to maintain the
proper access rights across all systems and users.
Management has decided that a new-and-improved approach is needed for today’s
access needs. CreditWon is also planning for future growth with new SaaS applications
and application migrations to the Cloud that improve the customer experience.
The Security Team has been brought in to perform an analysis of the problems leading
to access control issues and to develop a strategy to begin the modernization efforts.
As part of the Security Team, you are being asked to perform the following in a series of
assignments that lead up to the term’s Portfolio Project for a Single Sign On, RoleBased Access Control system for Microsoft’s Active Directory (AD), and will work on
internal applications and Azure Cloud-based applications that CreditWon develops.
ASSIGN MEN T IN ST RU CT ION S
In this assignment, you’ll develop a matrix that shows Business Roles in the first
column, followed by the privileges for that role. Look for common rights in the previous
assignment to help determine the roles that require those rights. Try to avoid building
roles that are too coarse (everyone is a member) and roles that are too fine (only one
person is a member). Once you have the matrix close to where you deem it complete,
one last step is to resolve incompatible rights and excessive privileges. Justify your
decision to use Discretionary Access Controls over Mandatory Access Controls
to convince management that the effort is on the right track.
Review the matrix to determine whether the rights tied to each role preserve the
principles of Separation of Duties and Least Privilege. Look for areas where you may
find roles where creating a transaction also permits approving the transaction. For
example, in the Accounting Department, you don’t want any roles with rights to approve
an invoice for payment and issue a request for a check to be sent. Where you find
conflicts or incompatible rights, highlight these problems and document
recommendations for management to resolve or create new roles to resolve conflicts.
FOR MAT T IN G AN D ST YL E R EQU IR EMEN T S
• Submissions should be between 500 words and 800 words in length.
• Refer to the UCOL Format and Style Requirements (Links to an external
site.) on the Course Homepage, and be sure to properly cite your sources
using Turabian Author-Date style citations (Links to an external site.).