Solved

Application access rights / user authorisation rights

Posted on 2011-03-23
6
536 Views
Last Modified: 2012-05-11
Is there any generic best practice considerations when setting application users “access rights”/”authorisation rights” for applications that process personal/sensitive data, lets say a payroll/HR application?

Basically from a data protection / fraud perspective more than anything, some apps I have seen have powerful report features where you can run off a big dump of data out the app to excel spreadsheet, then there’s issues like what users need access to for their job, what users can do with the data etc.

I just want some general best practice to ensure I have considered everything.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
LHT_ST earned 100 total points
ID: 35197281
most of this is common sense. You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

likewise systems should not be easily accessable and facilities should be in place to prevent access eg Passwords, screensavers etc, to those who should not be accessing it.

generally policys should be in place and staff should be made aware of them.
0
 
LVL 4

Assisted Solution

by:vinaypatki
vinaypatki earned 100 total points
ID: 35197322
Yes, there are guidelines available.

For softwares
http://technet.microsoft.com/en-us/library/cc778399%28WS.10%29.aspx

For physical access security
http://www.hidglobal.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf

Role based authorization
http://www.visual-guard.com/EN/user-management-authentication-iam-rbac-access-control-security/dotnet-security-article-ressources/role-based-access-control.php


Alternatively, Google "access control best practice" and you will have great resources for your need.

I hope this is helpful.
0
 
LVL 3

Author Comment

by:pma111
ID: 35197455
LHT_SIT:

>>You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

I see what you are saying but in an era of data theft I dont think them signing a policy is going to do much when it turns out they can run a report and dump 20'000 records from a system to do whatever with. It was more technical config of access rights IN an application for authenticated users
0
WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

 
LVL 6

Expert Comment

by:LHT_ST
ID: 35197483
Hi,

you are correct but then really if someone wants to do something serious they will still do it. i just basically meant the policy was there to cover your backside so if someone does do something the emphasis is on them not you.

LHTST
0
 
LVL 3

Author Comment

by:pma111
ID: 35197494
I was just wondering if there is some best practice technical countermeasures to pervent this type of stuff for applications that house/process sensitive data. principles of least privelege they call it, but to see examples of controls based on that would help me no end
0
 
LVL 4

Expert Comment

by:vinaypatki
ID: 35204480
PMA11,
We can cover all loopholes, system stability factors, but we can't control humans. Best measure is least privileges, as you said. Giving no privileges at all makes it most secure but then business can't be done. So its a balance. Just like an example of a ship. It is safe at harbor but its not designed to be there.

Getting NDA (non disclosure agreement) is one way to tackle some of the brains those intend to break the system. If the data is ULTRA sensitive, then multilayer monitoring (teams of different geographies and/or ethnicity) should be installed.

At the end: You won't get any single document which covers all aspects of security. You can consult with third party security consultant for this purpose.
OR you can follow BS7799, a standard for information security management. BS7799 Part 2 is generally following during implementation phase. This should server your purpose.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question