An example of how the staff training on information security, data protection and privacy (IS/DPP) could look.
This part is on authorization and access rights, focussing on the staff's part in that.
The slides come with notes that in short explain the visuals on the slides.
2. 2
- Internal - Page
There are “3rd Parties” and “3rd Parties”
Environment
Physical
Human
Device
Application
Repository
Carrier
Changes
• In the regulatory environment
• In processes
• In people (JLT)
• In technology
Network
Data
3rd Parties
But important roles as well
for:
- HR
- Line Management /
Sponsor
- All of Us
5. 5
- Internal - Page
Request
Only ask those access
rights you require.
If you no longer need
access rights, inform IT or
HR they can close them.
6. 6
- Internal - Page
Authorization
Authorization is function /
role based (“need-to-
know”).
Authorizations are not
always equal to access
rights.
7. 7
- Internal - Page
Access Rights
Access rights determine
what you can see, not what
you should look at in the
context of your work (need-
to-know). Your authorization
and need-to-know always
prevails on what you
technically can.
Don’t use your access rights
for private purposes, not
even to look at your own
data.
8. 8
- Internal - Page
Access Rights Are Precious
Perform all your
activities with your
personal user ID.
Your personal user ID is
being used only by you
and no one else.
Do not share your
access rights.
11 april 2017
9. 9
- Internal - Page
Behind the Curtains
When you join ABC Group or a new unit
your authorizations and access rights may
be requested by HR and/or your line
management.
ABC Group is also working on a periodic
review of access rights in a cooperation
between you, your line management, HR,
and the Information Asset Owners.
10. 10
- Internal - Page
Key Takeaways
You should only have access rights and use
them as your job requires (need-to-know).
You should pro-actively (help) manage your
access rights.
Your access rights are personal and should not
be shared.
30 sec IS/DPP survival kit
WrapUp
Notas del editor
Welcome to the fifth part of the baseline training IS/DPP.
Herein we look at access to the data.
Access relates to all layers and is strongly related to the confidentiality of the data and the “circles of trust”.
Everybody in the “circle of trust” has access. Everybody outside the “circle of trust” is a “third party”.
It must be clear that this is distinct from the third parties we defined as external staff.
So for restricted data, if you do not need that data for the performance of your job, you are considered a “third party”.
Note that here as well we apply “no contract, no data”.
As an internal staff member, you have your employment agreement with the ABC Group.
As an external staff member, you or the company you work for have an agreement with the ABC Group.
In principle per information asset it is (or should be) determined who is authorized to have access, and that is (or should be) based on the need-to-know.
That is why you have a specific responsibility to help set up and close down access rights that fit your needs AND to restrain yourself from snooping around in information that you do not need in the context of your job.
The authorization is in principle given by your line management (or if you are an external staff member your sponsor) and the information asset owner based on your function or role.
Based on the authorization decision access rights are granted.
Sometimes however it is technically so hard to set up such detailed access management or it is just not user friendly to ask for expansion (and collapse) of access rights all the time, that the organisation chooses to set up access rights on a higher level, rather than on the level of a specific information asset.
For example you may get access rights to a part of the building, an application, or a server drive, rather than only to the data that relates to the project you need access to in the context of your job.
In terms of access rights you can and must be selfish.
You must perform your activities with your personal user ID.
You should be the only one using your personal user ID.
You must not share your access rights.
This is important because all actions on your personal user ID will be attributed to you.
Behind the curtains ABC is working on failsafe procedures to support and challenge your access rights.
That is it for this section. Here are a few key takeaways.