Articles | Ethics & Compliance | LRN

Employee Data Access: 2 Scenarios that Compromise Security - Interactive Services

Written by E&C Expert | May 26, 2017 4:00:00 AM

Companies are continually challenged with providing appropriate data and system access, not just for new employees but for current ones as well.  Of course, hiring managers want their employees to have access in order to get them up and running as quickly as possible.  In many cases, managers tend to model their requested access for a new employee with permissions granted to a current employee, but this can have some unexpected pitfalls. These are 2 common scenarios that are often overlooked when it comes to ensuring data privacy and protection within organizations.

 

Scenario 1 – Employee Transfers

Over the course of many years, employees often transfer from one department to another and/or assume different roles within an organization.  When a manager receives a newly transferred employee, they often do not know what data permissions the employee had in their previous role.  The manager simply makes a request to their IT department to allow access to additional systems and their IT department fulfills that specific request.  Over time, one employee could have access to quite a bit of information they should no longer have access to.

 

Scenario 2 – A New Employee

Remember the manager and transferred employee from scenario 1?  Let’s say this same manager also hires an individual from outside the organization and gives them the same position as the recently transferred employee.  For the new employee, the manager sends in another request to their IT department to give the new employee the same access to data and information systems as the recently transferred employee.  Now the new employee has all the permissions the transferred employee picked up from over 25+ plus years with the company.

 

Solution: Role-Based Access Control (RBAC)

The solution to all the potential issues from assigning access based upon individuals is assigning access based upon roles within the organization.  RBAC is not a once and done process either.  Even after an IT department begins to assign permissions based upon roles, maintenance of the plan is needed as new roles are created and current roles, along with their required data access, change over time.  Fortunately, once key players see the wisdom of creating and implementing a RBAC plan, it frees them up to focus on the task at hand, which is operating and growing their business, rather than trying to track down data leaks.

Want to know more about protecting the data within your organization?  Contact us today to learn about data privacy training.