System Controls and Security

Skill level: Specialty

Description

One way an organization can protect itself is by implementing practices and policies on acceptable behaviors regarding information and intellectual property.

There are many different tools or approaches, but a key method is through the system controls and security built into many software programs.  Security can be controlled at many levels, from high-level access to a network or application, to rights at a specific field level. Access can range from full access rights, where a user can do anything (read, add, edit, and delete data), to no access at all.

Typically, a system administrator implements these security controls, but business owners or managers provide direction on how the organization will operate.

Benefits

  • Inherent in most applications
  • Easy and inexpensive way to protect an organization’s data
  • Facilitates workflow/separation of duties when properly configured

How to Use

  • Step 1.  Gather information about:
    • What can be done – In other words, what are the application’s available security controls/groups? Talk to your system administrator for details.
    • How the business operates – What are the processes that are followed?
    • Who will be responsible for each function within the system.
  • Step 2.  Analyze the information gathered to develop a security map or plan based on the requirements.
  • Step 3.  Partner with your system administrator to implement the required system changes/configuration based on these controls.
  • Step 4.  Communicate with system users about their roles and limitations with these new applied controls.
  • Step 5.  Review and revise the system access regularly, scheduling periodic security audits (such as monthly or quarterly). If individuals change roles or, more important, leave your organization, ensure their access is modified or revoked immediately.

Relevant Definitions

Not Applicable

Example

System security and controls can be very helpful when working with a project team to collaborate. A common collaboration tool is Microsoft SharePoint.

In this example, you have a project portal with content areas that include a document repository, discussion board, survey, and calendar. Per your system administrator, these four elements have the following access rights available:

Systems_Control_And_Security_Table1

You have determined the following information based on the roles and responsibilities of the team members:

  • Timmy will be responsible for managing all project documents created. He will not be able to submit documents or participate in the discussion boards, but he will be able to read the results.  He will not have access to the surveys, but will be able to add information to the calendar.
  • Susie will be able to submit project documents and will be able to participate in the discussion boards.  She will be responsible for creating and analyzing surveys, and will be able to add information to the calendar.
  • Johnny will not require access to any project documentation but will participate in the discussion boards. No other access is required.

Given this information, working with the system administrator, you would have the following security access rights and controls implemented.

Systems_Control_And_Security_Table2

Upon implementation, ensure your team members know what their roles are and the functions they can perform.

As a reminder, ensure you are reviewing and updating roles and responsibilities on a regular basis. That way, when Susie changes project teams, you can assign her responsibilities to someone else for continuity and ensure she is not overwhelmed with excess access.

 

« Back to Glossary Index