"You make a child, but you don't make its mind," is an old
saying from Trinidad. I am reminded of this when I think of how
data changes as it migrates through an organisation. In the absence
of rigorous enrolment procedures and standardised data entry
requirements, the problems posed by incorrect data can be
costly,writes Sean Pollonais, information security
consultant atBD&F
Infosec.
The HR and finance departments are usually seen as the source of
all personnel information within organisations. The applications
and systems used by these departments are often customised to
facilitate the business processes of the company. When these
systems and applications are being tuned attention must be paid to
providing secure and reliable procedures that ensure data is
centrally referenced at all stages.
I once worked on a project to apply encryption to all the
machines in a company. The exercise turned out to be time-consuming
to the company and frustrating to end-users because information
about the machines and users had been created by independent
sources across the company.
When a new laptop was handed out, the support desk entered this
information into a spreadsheet. Few members of the support desk
owned a copy of the spreadsheet. The data was out of sync in a
short time.
New members of staff were assigned to desktops and this
information was recorded by line managers and stored separately.
Staff names did not always match HR records and the information was
not consistently updated when staff left the company or moved to
another department.
At the end of that project an effort was made to provide line
managers with a comprehensive online form for joiners. The data
gathered would be controlled by HR and referenced by finance,
service desk and all other appropriate departments. The support of
management in this instance was crucial.
The date format took about a week to be decided. Potential users
had to be convinced of the need for a standard and then a format
had to be decided upon. When this was done the form forced users to
enter all relevant dates to a standard.
This approach is needed for all forms of measurement. Money,
distance, time and any other that might be used within a company's
business operations. When these are standardised it avoids users
having to spend time cleaning data for individual calculations and
it reduces the risk of data entry errors.
Within organisations there should be a push for the use of
centralised data. Any records that have to be created should be
procured from a central repository to avoid localisation - for
example, the use of nicknames such as Bob instead of Robert. Where
possible, the company should give staff local network forms with
drop-down menus to enter data for activities that are
commonplace.
IT departments have to provide systems that help users focus on
the business. These systems should provide a common reference point
for all data inputs, ranging from the identity of staff to records
of stock. The applications should also insist that data entry is
standardised and users are informed about what type of information
is needed. Correct data helps a business perform efficiently.
Security Zone: read more advice from (ISC)2 qualified security
professionals >>