In this piece, we'll discuss the importance of managing employee access to data as a matter of security policy.
My research into this subject shows that data access policy ideally involves not only full-time employees, but should also cover part-timers, temp workers, contractors, customers, partners or anyone else who might occasionally have a legitimate need to access an organization's data. It's also interesting to find two basic forms of access policy:
- What's often called an "Employee Access to Organizational Data" document also addresses policy for part-timers, temps and so forth. Here we're talking about describing what qualifies as sensitive data, who has the need to know such information and the kinds of access that will be permitted.
- An "Employee Internet Access Policy" or an "Acceptable Use Policy" deals with the kinds of public information that employees may legitimately access, use and discuss on the job. It also addresses other sorts of information, graphics and so forth from which they should steer clear.
Between the two forms of policy we find a set of rules governing who may access what and a lot of information about what's appropriate in the workplace (and by exclusion, extension or specific mention, what's not).
Most security experts agree that managing access controls to organizational data requires going through at least three detailed and important exercises:
- Identifying various types of and repositories
- for sensitive data
- Assessing the risks involved should such data be lost, stolen or disclosed to unauthorized third parties
- Describing job roles that relate to each type of sensitive data and what kinds of access is required for each job role
In general, these exercises boil down to taking stock of your organization's data, who accesses it and for what purposes. Because entire sections of security texts and courses are devoted to data classification, risk assessment and job role analysis that lead to role-based access control schemes, forgive me for glossing over a serious and involved subject in fairly short order. Any good infosec certification will give these subjects their due, as will any good infosec fundamentals textbook.
Internet access or acceptable use policies are usually designed to prevent encounters with questionable or potentially offensive documents, graphics and so forth, in the workplace. The idea is to draw boundaries on the limits of what users may view or read while in the workplace, so as to prevent possible perceptions of or accusations regarding creation of a hostile or negative work environment. Most companies deploy firewall filters that block known sources of questionable content and use policy to warn users in advance to stay away from other examples of such information that might escape filters.
As always, the key to successful policy implementation is education. It's absolutely essential to not just capture access control and acceptable access rules in policy documents and employee handbook materials, but to make sure users understand their content and intent. To that end, many companies require employees to sign a legal acknowledgement that they have read and understood such materials, and agree to be legally bound by them. Consequences for failures to adhere to such policies should also be clearly spelled out and explained to employees and others who must abide by these rules.
Please feel free to e-mail me with feedback, comments or questions at firstname.lastname@example.org.
About the author
Ed Tittel is VP of Content Services at iLearning, a CapStar company, based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.
This was first published in October 2003