Security Zone: Push for the use of centralised data

"You make a child, but you don't make its mind," is an old saying from Trinidad. I am reminded of this when I think of how data changes as it migrates...

"You make a child, but you don't make its mind," is an old saying from Trinidad. I am reminded of this when I think of how data changes as it migrates through an organisation. In the absence of rigorous enrolment procedures and standardised data entry requirements, the problems posed by incorrect data can be costly, writes Sean Pollonais, information security consultant at BD&F Infosec.

The HR and finance departments are usually seen as the source of all personnel information within organisations. The applications and systems used by these departments are often customised to facilitate the business processes of the company. When these systems and applications are being tuned attention must be paid to providing secure and reliable procedures that ensure data is centrally referenced at all stages.

I once worked on a project to apply encryption to all the machines in a company. The exercise turned out to be time-consuming to the company and frustrating to end-users because information about the machines and users had been created by independent sources across the company.

When a new laptop was handed out, the support desk entered this information into a spreadsheet. Few members of the support desk owned a copy of the spreadsheet. The data was out of sync in a short time.

New members of staff were assigned to desktops and this information was recorded by line managers and stored separately. Staff names did not always match HR records and the information was not consistently updated when staff left the company or moved to another department.

At the end of that project an effort was made to provide line managers with a comprehensive online form for joiners. The data gathered would be controlled by HR and referenced by finance, service desk and all other appropriate departments. The support of management in this instance was crucial.

The date format took about a week to be decided. Potential users had to be convinced of the need for a standard and then a format had to be decided upon. When this was done the form forced users to enter all relevant dates to a standard.

This approach is needed for all forms of measurement. Money, distance, time and any other that might be used within a company's business operations. When these are standardised it avoids users having to spend time cleaning data for individual calculations and it reduces the risk of data entry errors.

Within organisations there should be a push for the use of centralised data. Any records that have to be created should be procured from a central repository to avoid localisation - for example, the use of nicknames such as Bob instead of Robert. Where possible, the company should give staff local network forms with drop-down menus to enter data for activities that are commonplace.

IT departments have to provide systems that help users focus on the business. These systems should provide a common reference point for all data inputs, ranging from the identity of staff to records of stock. The applications should also insist that data entry is standardised and users are informed about what type of information is needed. Correct data helps a business perform efficiently.

Security Zone: read more advice from (ISC)2 qualified security professionals >>

Read more on IT risk management