Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Application access rights / user authorisation rights

Posted on 2011-03-23
6
Medium Priority
?
537 Views
Last Modified: 2012-05-11
Is there any generic best practice considerations when setting application users “access rights”/”authorisation rights” for applications that process personal/sensitive data, lets say a payroll/HR application?

Basically from a data protection / fraud perspective more than anything, some apps I have seen have powerful report features where you can run off a big dump of data out the app to excel spreadsheet, then there’s issues like what users need access to for their job, what users can do with the data etc.

I just want some general best practice to ensure I have considered everything.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
LHT_ST earned 400 total points
ID: 35197281
most of this is common sense. You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

likewise systems should not be easily accessable and facilities should be in place to prevent access eg Passwords, screensavers etc, to those who should not be accessing it.

generally policys should be in place and staff should be made aware of them.
0
 
LVL 4

Assisted Solution

by:vinaypatki
vinaypatki earned 400 total points
ID: 35197322
Yes, there are guidelines available.

For softwares
http://technet.microsoft.com/en-us/library/cc778399%28WS.10%29.aspx

For physical access security
http://www.hidglobal.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf

Role based authorization
http://www.visual-guard.com/EN/user-management-authentication-iam-rbac-access-control-security/dotnet-security-article-ressources/role-based-access-control.php


Alternatively, Google "access control best practice" and you will have great resources for your need.

I hope this is helpful.
0
 
LVL 3

Author Comment

by:pma111
ID: 35197455
LHT_SIT:

>>You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

I see what you are saying but in an era of data theft I dont think them signing a policy is going to do much when it turns out they can run a report and dump 20'000 records from a system to do whatever with. It was more technical config of access rights IN an application for authenticated users
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 6

Expert Comment

by:LHT_ST
ID: 35197483
Hi,

you are correct but then really if someone wants to do something serious they will still do it. i just basically meant the policy was there to cover your backside so if someone does do something the emphasis is on them not you.

LHTST
0
 
LVL 3

Author Comment

by:pma111
ID: 35197494
I was just wondering if there is some best practice technical countermeasures to pervent this type of stuff for applications that house/process sensitive data. principles of least privelege they call it, but to see examples of controls based on that would help me no end
0
 
LVL 4

Expert Comment

by:vinaypatki
ID: 35204480
PMA11,
We can cover all loopholes, system stability factors, but we can't control humans. Best measure is least privileges, as you said. Giving no privileges at all makes it most secure but then business can't be done. So its a balance. Just like an example of a ship. It is safe at harbor but its not designed to be there.

Getting NDA (non disclosure agreement) is one way to tackle some of the brains those intend to break the system. If the data is ULTRA sensitive, then multilayer monitoring (teams of different geographies and/or ethnicity) should be installed.

At the end: You won't get any single document which covers all aspects of security. You can consult with third party security consultant for this purpose.
OR you can follow BS7799, a standard for information security management. BS7799 Part 2 is generally following during implementation phase. This should server your purpose.
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question