We are awash in a sea of data and still learning to swim. Nonprofits, like corporations, are taking in more information than ever before, and sometimes more than they know how to handle. The risk of a privacy breach is on the minds of many of the nonprofits we speak with, and …
Protecting your network and financial data and ensuring the integrity of sensitive client information rate high on the priority lists of every Human Services agency. In addition, more stringent privacy laws have imposed new levels of confidentiality on institutions that deliver health-related services, and as a result, permissions management has become a critical component in ensuring information security and access control.
At the same time, Human Services agencies are constantly trying to find the right balance between the need to secure access to financial information to minimize security risks and the need to provide access to information to allow staff to fulfill their responsibilities in an efficient manner and make data-driven decisions. The importance of such measures is an even larger concern given the growing popularity of bring-your-own-device (BYOD) policies.The balancing of these challenges supports the need for Human Services agencies to create a strategic and well-structured permissions strategy centered on role-based access control (RBAC).
WHAT IS ROLE-BASED ACCESS CONTROL?
For the unfamiliar, role-based access control is a model for scaling access to technology resources. Instead of creating a unique set of permissions for each user – a recurring task that would be a huge drain on an administrator’s time – agencies can create permission standards for the role each user occupies in the organization. Users are still granted the access they need to effectively complete their tasks, while administrators don’t have to spend time micromanaging how each user interacts with the software.
Here’s how it works: Once all of the employee roles are populated into the database, role-based rules are formulated and workflow engine modules are implemented. Through these elements, role-based privileges can be entered and updated quickly across multiple systems, platforms, applications and geographic locations — right from the HR or IT manager’s desktop. By controlling users’ access according to their roles and the attributes attached to those roles, the RBAC model provides a company-wide control process for managing IT assets while maintaining the desired level of security.
STEPS TO IMPLEMENT ROLE-BASED PERMISSIONS
Arguably, the biggest obstacle to role-based permissions is the initial complexity involved in setting it up. More than just a “one-size-fits-all” technology tool, RBAC is a complex and strategic process that does require expertise. And, as with most complex projects, RBAC is best implemented by applying a detailed and structured framework that breaks down each task into its component parts. The following steps provide a snapshot of some of these processes:
- Create a master plan. To extract maximum security and business value from RBAC, the master plan should include project design and scope, a realistic timeline, and a set of benchmarks and deliverables against which to measure progress.
- Compile information on systems, hardware and software. This step calls for identification and listing of all servers, databases and applications. Only then can business units and management determine the level of security required for each application and data source, based on the core mission, the level of security and/or confidentiality desired, and the need for regulatory or statutory compliance.
- Define all roles. Compiling a comprehensive list of job functions can best be done in cooperation with the human resources department. Managers and key supervisory staff can then amplify the list with detailed profiles or job descriptions.
- Analyze roles to determine access. The “roles” information must be categorized and analyzed to formulate role-based access rules. An automated workflow strategy should also be planned detailing how roles will be changed or updated, how new users will be registered, and how accounts will be terminated in a timely manner when employees leave the company. Once the plans are approved, the data can be populated into your system.
- Implement education and organizational change. Education and training from the top down are key to the rapid acceptance and user buy-in to RBAC. If employees clearly understand how and why RBAC is critical to the organization’s information security and appreciate how it can make them more productive, they are more likely to adapt to the system quickly and enthusiastically.
WHY MOVE TO A ROLE-BASED PERMISSIONS MODEL?
Increased data security, low maintenance costs, and increased efficiency are among the key benefits of RBAC as a security strategy for midsize and large organizations. However, RBAC systems also can be designed to maximize operational performance and strategic business value. They can streamline and automate many transactions and business processes and provide users with the resources to perform their jobs better, faster and with greater personal responsibility. With an RBAC system in place, organizations are better positioned to meet their own statutory and regulatory requirements for privacy and confidentiality, which is crucial for human services organizations, as well as requirements imposed by external funders and government agencies. Directors, managers and IT staffers are also better able to monitor how data is being used and accessed, for the purpose of preparing more accurate planning and budget models based on real needs.
RBAC also reduces IT service and administrative costs as entering new hires becomes faster and easier, as does “lockdown” of accounts when employees depart or are terminated.
BUT REMEMBER: ROLE-BASED PERMISSIONS DON’T SOLVE EVERYTHING
You cannot avoid data security issues just by setting the right permissions and authorizations in your ERP system. There are many other causes of fraud or mistakes, such as not having clearly defined business roles, incorrect policies and procedures, poor system security, errors in data conversion, poor maintenance of sensitive data, etc. If you stay alert and perform regular checks on these things, you will reduce the risk of abuse and mistakes significantly.
Today, protecting digital information is a core business function since a company’s information is closely intertwined not only with privacy and confidentiality issues, but also with key business processes that affect the organization’s mission and competitive position. So while RBAC may be more difficult to implement in the short term, over time it can result in long-term savings and ROI.
Whether you’re interested in implementing a new ERP system or just want to refresh your strategy within a legacy system, there’s always an opportunity to evaluate and address the balance between securing and giving access to financial data, and then make appropriate changes.