e-businessguide - Who should be authorised to access data?

Employees at various levels throughout an organisation will require access to different types of information and data. This sometimes applies to contractors working within your business.

Authorisation refers to the granting of access rights to data, software and communications, based on the allocation of tasks to the users to allow them to perform their job.

For example, all employees may need to access word processing software, but are only granted rights to directories containing files that are directly relevant to them. The same applies to spreadsheet software. All users may need access to the software but only certain people can have access to the company's financial records created using that software. In this case, access to the software is unrestricted, but access to files containing data is provided on a restricted basis.

What to do

Access to sensitive or confidential data (personnel files, financial records, customer details, sales figures, planning documents) should be on a need-to-know basis only.
All users must have individual accounts (an account is simply all the access rights a user is entitled to) and never allow accounts to be shared.
Job roles must be clearly defined and user accounts set-up to support these roles.
All users must have documented acknowledgement of their rights and responsibilities related to access authorisations. This should include the company policy on "acceptable use" of systems, including hardware and software, communications including email and Internet, and the use of peripheral equipment such as printers and scanners.
As employees' roles change, their access privileges may need to change, so authorisations should be reviewed regularly and modified to ensue appropriateness.
Access control procedures must be documented, implemented and reviewed periodically.

As additional functions, features and capabilities are added to your company website, overall security should be adequately controlled. User access policies and procedures should be developed and implemented to ensure that an appropriate level of access is allowed.

For example, you may wish certain suppliers to have access to your system to share data such as inventory records or automatic ordering and re-stocking processes. You should ensure that the appropriate security controls are in place to prevent unauthorised use of this access point that would allow people to access other parts of your network where there is confidential and sensitive information.

Next topic in this section >