In this series, we’ve explored how to map the hardware, software, and other data assets that make up your information system. Hopefully, you’ve identified and taken steps to mitigate some of the most common cyber risks. Until you control who can access the system and its information, however, it’s unlikely that your efforts thus far will provide ongoing protection from threats both internal and external.
Setting access levels requires a two-step approach. Firstly, you must determine who “owns” the data. Secondly, you need to establish which other team members need some level of access to that data.
Defining Data Ownership
The question of who “owns” the data can be a contentious one. Employees who use a particular database, for example, may feel they have ownership of it and the information it contains. After all, they enter the information and manipulate it. But true ownership involves a much greater level of responsibility.
An owner needs to be willing and able to ensure the integrity of the data and its structure. They also need to have the authority to grant or prohibit access to the information. Furthermore, they need to understand how hardware and software systems store and manipulate the data and how the information integrates with or impacts other data.
The owner isn’t necessarily a single individual. It can be a small group of people who divide these responsibilities according to their skill sets. When the ownership group gets too large, however, the amount of responsibility everyone feels generally lessens. That can have negative repercussions.
Other Levels of Access
Of course, a team member doesn’t have to “own” a particular data set to have a legitimate need to access that information. Depending on the nature of their job responsibilities, users may create, manipulate, and even delete data from the system. Others, who may never even touch the data or the information system containing it, may still depend on that information being accurate and accessible.
A good real-world analogy for these different roles is to think about the electricity in your office. When people flip a light switch, they expect the lights to come on. They may not know how the building is wired or what the load is on a particular circuit (unless it keeps tripping out); they probably don’t know how much last month’s electricity bill was or even who your utility provider is. That isn’t need-to-know information for turning on the lights. Usually they don’t care about it until the switch doesn’t work as expected. That’s being a user.
Other people, such as visitors, may not even be sure where the light switches are located. It’s not important to them, so long as there is light for them to see as they cross a room. They’re dependents.
But as the person responsible for ensuring that the lights stay on, you DO need to know some or all of this information. Even if you can’t wire a building or rig a new transformer yourself, you know who to contact to accomplish these tasks. You monitor how much electricity costs your company and may send out reminders to staff to turn the lights off when they leave at night to save energy. You compare utility companies to see who can offer the best deals or negotiate for preferred rates. That’s ownership.
Setting Levels of Access
A convenient tool for determining appropriate levels of data access is the C-I-A Security Triad:
- Confidentiality – how important it is to keep the information secret or private
- Integrity – how important it is for the information to be accurate
- Availability – how important it is for users to be able to view and/or manipulate information
The more important is it to guarantee one or more of these factors, the more tightly you’ll want to control access. Don’t get carried away, though; three to five levels of access are plenty for most organizations.
Overestimating the need for confidentiality risks people not being able to access the information they need to meet client needs or make informed decisions. Underestimating the need for confidentiality risks exposing information to outsiders in a way that causes financial or reputational harm.
It’s important to understand the regulations that govern the different types of information stored in your information system. The U.S.’s patchwork approach to information security and data privacy means that different laws and regulations may apply at both the state and federal levels. Some larger cities also regulate information security. Contracts and insurance requirements may impose even higher standards – not to mention the expectations that collaborators and clients may have.
Where confidentiality is important, consider anonymizing information or blocking access to certain elements of the data set. Limiting access to specific places or times can also be an effective method of control, as is requiring specific approval (co-authorization) by a team member with a higher access level.
The more important it is that information be correct, the better it is to restrict access – or at least make the data read-only. When it is necessary for users to manipulate the information, implement change-tracking protocols or delayed change implementation. While these strategies won’t prevent a compromise of data integrity, they can make it simpler to identify when and where a change occurred and who made the alteration. Trending such information makes it possible to further refine access for individuals or teams.
Many of the strategies for handling confidentiality and integrity issues also apply to availability. That’s because setting availability too high creates opportunities for team members to compromise these other areas. Their actions don’t have to be malicious or unethical in nature; simple mistakes or curiosity can lead to problems.
On the other hand, making information too unavailable can make it difficult for employees to complete their required tasks in a timely manner. Remember that when cybersecurity measures prevent people from accessing the information they genuinely need to do their jobs, employees start looking for ways to circumvent them!
The Hard Truth
Despite your best efforts to protect your systems and data, it’s impossible to eliminate risks entirely. That’s the price we pay for having such powerful tools. The goal of an information security program is to reduce these risks to a level that stakeholders can live with.
Additionally, an ISP must and should be a constantly evolving document. The annual review mandated in some jurisdictions likely doesn’t begin to cover the actual needs of your program. Cybersecurity is about being prepared to pivot in response to new threats and opportunities and to learn from each experience in order to offer ever better information management solutions for everyone in the insurance ecosystem.