Application access rights / user authorisation rights

Is there any generic best practice considerations when setting application users “access rights”/”authorisation rights” for applications that process personal/sensitive data, lets say a payroll/HR application?

Basically from a data protection / fraud perspective more than anything, some apps I have seen have powerful report features where you can run off a big dump of data out the app to excel spreadsheet, then there’s issues like what users need access to for their job, what users can do with the data etc.

I just want some general best practice to ensure I have considered everything.
LVL 3
pma111Asked:
Who is Participating?
 
LHT_STCommented:
most of this is common sense. You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

likewise systems should not be easily accessable and facilities should be in place to prevent access eg Passwords, screensavers etc, to those who should not be accessing it.

generally policys should be in place and staff should be made aware of them.
0
 
vinaypatkiCommented:
Yes, there are guidelines available.

For softwares
http://technet.microsoft.com/en-us/library/cc778399%28WS.10%29.aspx

For physical access security
http://www.hidglobal.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf

Role based authorization
http://www.visual-guard.com/EN/user-management-authentication-iam-rbac-access-control-security/dotnet-security-article-ressources/role-based-access-control.php


Alternatively, Google "access control best practice" and you will have great resources for your need.

I hope this is helpful.
0
 
pma111Author Commented:
LHT_SIT:

>>You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

I see what you are saying but in an era of data theft I dont think them signing a policy is going to do much when it turns out they can run a report and dump 20'000 records from a system to do whatever with. It was more technical config of access rights IN an application for authenticated users
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
LHT_STCommented:
Hi,

you are correct but then really if someone wants to do something serious they will still do it. i just basically meant the policy was there to cover your backside so if someone does do something the emphasis is on them not you.

LHTST
0
 
pma111Author Commented:
I was just wondering if there is some best practice technical countermeasures to pervent this type of stuff for applications that house/process sensitive data. principles of least privelege they call it, but to see examples of controls based on that would help me no end
0
 
vinaypatkiCommented:
PMA11,
We can cover all loopholes, system stability factors, but we can't control humans. Best measure is least privileges, as you said. Giving no privileges at all makes it most secure but then business can't be done. So its a balance. Just like an example of a ship. It is safe at harbor but its not designed to be there.

Getting NDA (non disclosure agreement) is one way to tackle some of the brains those intend to break the system. If the data is ULTRA sensitive, then multilayer monitoring (teams of different geographies and/or ethnicity) should be installed.

At the end: You won't get any single document which covers all aspects of security. You can consult with third party security consultant for this purpose.
OR you can follow BS7799, a standard for information security management. BS7799 Part 2 is generally following during implementation phase. This should server your purpose.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.