This week we’ll be discussing Operations Security. It ties in pretty closely with the previous discussion about permission levels and computer security.
Ultimately, the questions we’re trying to answer are: Where are the weaknesses in your day to day operations? Who has access to what information? What are they allowed to do with it? Is the information sensitive enough to implement split-knowledge (next week’s topic)?
In it’s simplest form, make sure that only the proper authorized people have access to the information that they require to perform their assigned duties.
- What information should be public (outside the company)?
- What information should be accessible to anyone within the company?
- What information should be of a “limited access” type? Payroll spreadsheets, performance evaluation records, etc… some of these are REQUIRED to be limited access.
- What information should be limited to the create/owner?
If you have concerns about who is accessing what information after the fact, there are tools available to perform those types of access audits.
Contact us for additional guidance.