Protecting your network and financial data and ensuring the integrity of sensitive client information rate high on the priority lists of every Human Services agency. In addition, more stringent privacy laws have imposed new levels of confidentiality on institutions that deliver health-related services, and as a result, permissions management has become a critical component in ensuring information security and access control. At the same time, Human Services agencies are constantly trying to find the right balance between the need to secure access to financial information to minimize security risks and the need to provide access to information to allow staff to fulfill their responsibilities in an efficient manner and make data-driven decisions. The importance of such measures is an even larger concern given the growing popularity of bring-your-own-device (BYOD) policies.The balancing of these challenges supports the need for Human Services agencies to create a strategic and well-structured permissions strategy centered on role-based access control (RBAC).
WHAT IS ROLE-BASED ACCESS CONTROL?For the unfamiliar, role-based access control is a model for scaling access to technology resources. Instead of creating a unique set of permissions for each user – a recurring task that would be a huge drain on an administrator’s time – agencies can create permission standards for the role each user occupies in the organization. Users are still granted the access they need to effectively complete their tasks, while administrators don’t have to spend time micromanaging how each user interacts with the software. Here's how it works: Once all of the employee roles are populated into the database, role-based rules are formulated and workflow engine modules are implemented. Through these elements, role-based privileges can be entered and updated quickly across multiple systems, platforms, applications and geographic locations -- right from the HR or IT manager's desktop. By controlling users' access according to their roles and the attributes attached to those roles, the RBAC model provides a company-wide control process for managing IT assets while maintaining the desired level of security.
STEPS TO IMPLEMENT ROLE-BASED PERMISSIONSArguably, the biggest obstacle to role-based permissions is the initial complexity involved in setting it up. More than just a "one-size-fits-all" technology tool, RBAC is a complex and strategic process that does require expertise. And, as with most complex projects, RBAC is best implemented by applying a detailed and structured framework that breaks down each task into its component parts. The following steps provide a snapshot of some of these processes:
- Create a master plan. To extract maximum security and business value from RBAC, the master plan should include project design and scope, a realistic timeline, and a set of benchmarks and deliverables against which to measure progress.
- Compile information on systems, hardware and software. This step calls for identification and listing of all servers, databases and applications. Only then can business units and management determine the level of security required for each application and data source, based on the core mission, the level of security and/or confidentiality desired, and the need for regulatory or statutory compliance.
- Define all roles. Compiling a comprehensive list of job functions can best be done in cooperation with the human resources department. Managers and key supervisory staff can then amplify the list with detailed profiles or job descriptions.
- Analyze roles to determine access. The "roles" information must be categorized and analyzed to formulate role-based access rules. An automated workflow strategy should also be planned detailing how roles will be changed or updated, how new users will be registered, and how accounts will be terminated in a timely manner when employees leave the company. Once the plans are approved, the data can be populated into your system.
- Implement education and organizational change. Education and training from the top down are key to the rapid acceptance and user buy-in to RBAC. If employees clearly understand how and why RBAC is critical to the organization's information security and appreciate how it can make them more productive, they are more likely to adapt to the system quickly and enthusiastically.