Securing company information begins with an identity management process.
Worms, viruses and Trojan horses make the headlines. But the vast majority (over 80% according to industry experts) of security breaches come from inside the organization, in the form of data theft, sabotage and fraud. Securing against these internal threats starts with making sure that your users get access to only the information they are authorized to see. But the world’s best locks can’t help you if you don’t know who has the keys.
Consider the following scenarios:
An employee is terminated and his desktop and network login is disabled. But when he goes home, he logs on to the company intranet.
Another employee transfers from one division to another. But she continues to access the first division’s accounting systems.
An employee gives a subordinate her password in order to use a contact-management application. The subordinate then uses this password to access a network drive.
Technology can help address these scenarios but there is no technology silver bullet for identity management issues. For example, single sign-on authentication would address the first two scenarios by providing a single means of access to all systems, and allow all access to be revoked in one shot. But single sign-on actually contributes to the last scenario, by allowing more access to the subordinate than was intended.
HR can play a central role in the identity management process. It’s not good enough to have secure passwords or smart cards if systems across the company don’t recognize employee status changes. HR is in the best position to communicate these changes across the organization. HR also has experience with securing sensitive information about employees and can be a partner in developing and administering a strong information security policy.