Databases are the core targets for hackers and they can be a source of vengeance when it comes to disgruntle employees. In this case, the Human Resources (HR) group has requirements to house data that are used across the corporation from management to the level of employees, which requires numerous security considerations.
Traditionally access control has been performed at the application level within code however if a database accounts properly for access control the value of this level of control begins to take shape. The workflow demonstrated in figure 1 provides the needed foundation to address interfaces, enforcement, and access tokens. While role based authorization at the database is not a new idea the concept of fine grain control accounts for rule based evaluations as well it is applied at row level which allows access to be controlled at the lowest level (Opyrchal, Cooper, Poyar, Lenahan, Zeinner, 2011). By adopting this level of security data owners and database administrators are provided a valuable tool to ensure the proper person have the needed access and only during the times when access is required.
Organizations must understand that data is the both the most valuable asset and at the same time it can be destructive in the hands of the wrong individual. To drive home this point (Swartz, N. 2007) stated:
All organizations depend on data, and good data management practices are critical to many technology-based organizational initiatives, including business intelligence, customer relationship management, and data warehousing.
At the end of the day every individual from the CEO down to the lowest level of employees must understand that they each has a tremendous role in both securing and maintain data (Swartz, N. 2007). When the absence of understanding of ownership and responsibility is lacking the result will lead to a failure with the organization’s core objective. The key to success is rooted within awareness through educational means. This level of education varies upon the role of the individual in question. For example, the HR personnel would have responsibility to ensure the data is both accurate and timely. System administrators would require knowledge of TCP/IP and the behavior of both malware and viruses. Finally, other groups to include managers and employees must understand and implement stated policies and raise any suspected breaches as quick as possible (Hentea, 2005).
In conclusion, the key point to take away is that everyone serves as if personnel were a link in the chain and when one link breaks, the chain is then a risk of failure. Modern day the human-computer interaction (HCI) has been clearly defined but this was not always the case. People can both be the most valuable asset of a company as well as the greatest risk. This is because people are subject to both physical and mental problems, which may include peer pressure and the inability to recall procedure from memory (Flechais, & Sasse, 2009).
- Opyrchal, L., Cooper, J., Poyar, R., Lenahan, B., & Zeinner, D. (2011). Bouncer: policy-based fine grained access control in large databases. International Journal of Security & Its Applications, 5(2), 1-15. Retrieved from http://www.sersc.org
- Swartz, N. (2007). Data management problems widespread. Information Management Journal, 41(5), 28-30. Retrieved from http://www.arma.org/
- Hentea, M. (2005). A perspective on achieving information security awareness. Issues in Informing Science & Information Technology, 2169-178. Retrieved from http://informingscience.org/
- Flechais, I. M., & Sasse, A. (2009). Stakeholder involvement, motivation, responsibility, communication: How to design usable security in e-Science, International Journal of Human-Computer Studies, 67(4), 281-296. doi:10.1016/j.ijhcs.2007.10.002