An article by a specialist
Improving overall picture and security in a multi-player environment
Security is a positive thing, something we all need in our everyday life. The word “security” gets new perspectives, as the world changes and information society develops, making also threats become diversified. Rossum has developed a Security Portal; one system taking into account modern security challenges, simultaneously looking over the big picture of corporate security.
Insecurity; an unpleasant feeling caused by a multi-player environment
Example #1: Several contractor employees come do installation- and maintenance work for a long period of time, from months to even years. During this period, employees come and go, their data may expire without anybody noticing. Who is able to, and has time to check and maintain all this data in several systems? Doesn’t it easily cause one an insecure and unpleasant feeling?
Companies have many kinds of applications and systems for handling the employee data. Data is often related to a certain matter, or a matter being a part of a bigger entity. In case employee data is scattered to various applications, forming an overall picture might be challenging. It slows things down, causing frustration and one might even feel of insecure.
Example #2: there are several externals who need access rights (an/or user permissions) to do the work and move around in necessary areas of the premises. To do their work, and for security, they might be required various kinds of things: valtti-card, tax code, professional certificates, local induction, work security courses and other courses, security checks, information security document, NDA, etc.. and international employees need work permits. These issues may be handled in several systems and by various people, nobody having an overall picture of the situation.
Does everyone involved have a knowledge of what the requirements for each employee are? Tasks may be remote by computer, or hands-on, on-site.
How much does this missing overall picture cause extra cost, low resource utilization rate and frustration?
I personally have often felt frustrated, when there is no progress and I don’t have an overall picture. Having an overall picture and predictability bring along a feeling of security.
How would it feel, if all these things were gathered into one location and managed from there? People involved could see the information they need to see, in order to push things forward, and manage them in a controllable way. And, first of all, employees would get necessary permissions and access rights on time.
Manage in a proactive way
Example #3: Maintenance work is scheduled to start next week, but we are uncertain if the contractor’s and their employees’ data is correct and if all of them fulfill the requirements (e.g. if all necessary courses are completed). You make several phone calls, check matters and register the information to various locations, but do you have an overall picture of the situation?
You maintain the feeling of control, and an overall picture, when you are able to register and manage the data through one interface. That way it’s also easier to return to the matters, if needed. One centralized data storage, data distribution to the needed applications from there; one centralized data storage to gather the data from various applications – handy!
An important point of view in overall picture is the status communication. It’s important that the people involved (e.g. orderer and contact person) receive reminders and notifications, when things don’t proceed as planned, or there will be other changes. This way everyone involved receives the information simultaneously, and they are able to react faster.
In case the courses needed to maintain the access rights expire, it is important that the employee in concern is informed early enough. That way he/she is able to do his/her share for a secure working environment, and to maintain his/her own qualification. If he/she intentionally neglects the required things, an automated expiration of e.g. access rights makes sense. This function is one of the benefits of data being managed via one service/interface.
Share responsibilities and avoid risks in data management
Example #4: Who’s responsibility it is to register and maintain sensitive employee information in all needed locations? How can we prevent (or at least try to so) someone distributing them in a wrong or an unprotected way (by e-mail)?
In data management, sharing responsibility is important, and that there is a system available for that. In that system, the orderer first defines the schedule and other requirements for the assignment. Following that, the contractor’s contact person registers and maintains, after receiving an automated notification, the person data of the employees in the subcontracting chain. Both customer and orderer see the sama data, including each employee’s personal status and the requirements for him/her.
The contact person responsible for the data input, is also responsible for maintaining and keeping the data accurate. This helps minimize the risks that occur if several people handle and send same data. Both the work orderer and and the contractor no longer need to spend their resources on data management.
This procedure makes it unnecessary to send sensitive information by e-mail, or by any other means. E-mail and it’s security is often trusted too much; it is unfortunately still widely used for sending sensitive information, although it’s far from being a safe way for that.
An old phrase comes to mind: “E-mail is like a post card and protected e-mail like a message wrapped in an envelope.” Person handling mail, and the mailman, do have an access to the information in them, although the sender may not think so.
As soon as the contact person has registered the necessary employee information and added possible attachments, automated checks may start immediately (tax code, valtti-card etc). Contact person has a real-time view to the check results, and he/she is able to see, what is still to be checked or what phases underway – or in case the employee has not passed the check, reason/reasons for that.
Employees do their own share via the same system, or via some other system, but anyhow so, that all information regarding completed courses is gathered to a centralized location, for an easy access to necessary people, and to maintain an overall picture. Other than possible courses, employees may be responsible for registering other type of information, e.g. Privacy statement approval and Information security commitment approval.
Information (including possible attachments) registered by the contact person, e.g. for working hours follow-up purposes, is simultaneously available for the Security investigator. Security investigation process may be time-consuming, so having all necessary information available early enough, and preferably via one centralized channel, is important. No more separately sent attachments nor uncertainty about the process status.
Too wide access or accidentally active access?
Excaple #4: Are all people accessing the premises, really allowed to do so? How do I know and how can I make sure the person completed his job, no more has access to the premises (=access has been terminated)?
After the work is done, it is important to have accesses effortlessly terminated (premises, applications) and possible FSIS integrity monitoring (a part of the security clarification) ended. Often, however, contact persons have a lot to do, when a project is completed, and these things may be forgotten.
When the project is completed, sometimes ahead of planned schedule, the work orderer and the contact person need to have a possibility to effortlessly end employee accesses, even on the field, through a mobile interface. The more easily this is doable, the more surely it will be taken care of.
Security is a positive thing; the feeling is a result of co-operation!
It is important to pay attention to the emotional side of the security, too. It means a feeling of security; that all of us working in the same premises, using same applications, have done all things that are required from us. It includes a feeling that everyone knows how to act in exceptional situations.
Mikko Hurskainen
System Specialist