IT Employment

General discussion


IT Data Access Policy

By koconnor ·
Does anyone have a policy statement for IT staff that tells IT staff about how it can and cannot make access data it is entrusted with? IT staff many times has access to everything, but shouldnt actually access most data unless there is a legitimate business reason. We are considering having a policy with sign off.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

some ideas

by wordworker In reply to IT Data Access Policy

Sounds like you need a few policies to get started.

The topmost policy is "all [company] information is [company] property and may not be changed, removed, distributed, or even viewed by any unauthorized person." That lays down the blanket statement that just because you *can* get to some data, that doesn't give you the right to view it, e-mail it, copy it, change it, or destroy it.

Separation of duties based on "need to know." That is, no network account should have access to anything that they don't *need* to have access to. Developers should never be allowed to change anything in production (test and QA environments only). If you use group policies, you can restrict who gets access to say, the SAP applications, by limiting the list of user accounts that can get in.

Disallow logins with service accounts. Some sysadmins sneak in with service accounts so their activity can't be tracked to their user ID.

Data classification policy. Information owners assign a classification for various types of data, such as confidential, sensitive, or public. You can lay related rules or standards like, "Company confidential information must be encrypted before it is sent out of the building," or even "Faxes containing sensitive or confidential information must have a cover sheet with the appropriate legal warning about 'information contained in this transmission.'

Hope this helps!

Collapse -

forget it

by Kass In reply to some ideas
Collapse -

Disallow logins with service accounts?

by BFilmFan In reply to some ideas

Service accounts need to login to do backups and other functions, depending on the application and OS. You want to rethink that policy...

Collapse -

Clarification-those authorized by I/T

by wordworker In reply to Disallow logins with serv ...

You're right that you must allow some service accounts to run, but only those certified by the I/T department or the server team, whoever owns the network OS.

Collapse -

Access Policy (& Service Accounts)

by James Speed In reply to Disallow logins with serv ...

I TOTALLY Agree about not disabling service accounts. The results could be disasterous. If you have a large enterprise, disabling a service account could come back and bite you in the butt so bad you would have a scar. Sometimes these might only run at certain times or dates. A month later next thing you know some critical system isnt working, it takes you hours to figure out whats wrong.

Depending on the size of your organization, you can have an access policy that relates to job function (Role Based Access) and as the other post said "Need to Know". In the Military I posessed a Top Secret clearance, that didnt mean I could eyeball all the spook stuff with impunity. I had to have a valid NEED TO KNOW to access high level stuff and sign a form that I viewed the information- and WHY i viewed it.

Starting off, select the people that need the access and determine if they are indeed trustworthy. Hold everyone with high level access accountable - with each other. Sooner or later if someone is pulling shenagins a teammate will observe it. If you feel you can't trust someone who's job requires "God" level access - either move them to another position or terminate them. If you cant trust them, something is drastically wrong.

Dropping down levels you can start limiting access to other individuals determined by their need. Basically you need to use a "Role Based" access policy from the top down.

Word of caution - if you are taking access away from people who might have it now... do it SLOWLY and methodically. Dont just whack everybody at once and totally take it all away. You will **** off more people than you can imagine and create a very hostile culture. It may be impossible to recover your service scores if that were to happen. Little by little take stuff away - they may (WILL) grumble...but when youre done they have resigned themselves to the fact they cant go EVERYWHERE and ANYWHERE like they use to.

Jim Speed
Network Administrator
Laurens County Healthcare Systems

Collapse -

more ideas

by In reply to some ideas

In one of the replies, fasthands mention that company information can not be accessed by any unauthorized person.

As an MIS Manager for a small Federal employment and training program in Puerto Rico. I'm responsible to oversee and protect all program clients data files (hardcopy and system files). I only grant access to staff who need to have access to client records and who are authorized to add, modify or delete records.

This is achieved through a "Security Profile" which is nothing more than a document granting access to the appropriate staff. The Security Profile contains a statement notifying the IT staff that access is granted to client records and provide them withof a username and a password to access the data (web application).

This username or password is differente from the username and password usually use to login to the network.

I strongly recommend you enforce data security within your organization by using the tools already came with the many productos available today like ORACLE, SQL and others or thru an ADMIN module in the application. This way you will ensure that non-authorized staff could eventually delete a record or a complete database just by mistaek or intentionally.

Collapse -

Wagon Jumper

by johnj In reply to some ideas

I hate to be a late wagon jumper, but could i get a copy of that policy as well? Thanks!

Collapse -

Underlying Policy

by phil In reply to IT Data Access Policy

1st. Our IT Policy States that all information regardless of format or source, is considered company property, I.E. The "Company" can look at anyones data without any warning or notice,
2nd. No Personal information on Company systems is exempt
3rd. IT Staff are hired partly based on their trustworthyness, Many IT Staffers have access to confidential Company Information, They are forbidden to disclose information they have seen to anybody,

So to recap, IT Staffers have access to all info but above that they are forbidden to use, devulge etc. any information they come accross

However I just noticed that you are a School (by your e-mail) That may change things a little as your policy may have to be more in line with gov agencies and social work, than private corps like us.

Collapse -

Feels more like Juggling than Balancing

by StrangerThanU In reply to Underlying Policy

To me the idea of data security and auditing often feels more like juggling than balancing. The biggest difficulty I have is not in getting our "Company" to make or enforce a policy but in getting those in the know about mission critical data functions to define security rules clearly. If, and I think it is a big if, you can get the business rules defined then you've got to measure them against industry security standards to be defensible in liability cases and for those in health care of any kind against that most nebulous of beings HIPAA or other licensing regulations.

Collapse -

Access to Information

by trsnell In reply to IT Data Access Policy

I think we in IT have the same situation everywhere. Our HR department was the inspiring body this time. They did not want non-HR people looking at their files. This made tech. support for them impossible. I drafted up and they approved a document to deal with access to confidential information and all of us in IT have to sign it. A copy for each IT staff resides with HR. To sum up, if they discuss or disclose it, they're fired, me included. I can send you this document if needed. You can edit to fit.

Related Discussions

Related Forums