The level of security, confidentiality and privacy of information, processes and physical assets measures the success of an organizations access control database management program. As with other aspects of the business, the controls placed on access and use of its assets must have the ability to be audited for governance, compliance and use. Therefore, effectively establishing user identity profiles, rights and privileges of users and ongoing management of the database are critical factors in the overall success of an organization access control strategy.
An access control database is not unlike any other business-related information database. Like any other information system, there are seven basic principles of successful database management. These are:
1. Good policies and proceduresOrganizations are beginning to understand the stakes involved in all forms of information management. This realization is being driven by both external factors (legal and regulatory compliance) and internal factors (process standardization and cost-reduction). As with any management program, policies and procedures provide the foundation of a successful access control information management program. Policies are a manifestation of an organization’s beliefs, and they express an organization’s commitment to sound management – an important message not only to employees but to the outside world as well.
2. Support from all levels of managementThe success of any important organizational activity depends in large part on the commitment of the organization’s senior management team. This commitment can be expressed in concrete ways, such as funding levels, and less tangible ways, such as making it a priority at the executive roundtable. Management of an access control database is no different. A successful program requires senior executives and managers to take responsibility for the program’s development, implementation and ongoing improvement.
3. Proper delegation of program roles and componentsResponsibility for access control management programs must be delegated only to those individuals with appropriate training, qualifications and authority. Every employee in an organization shares responsibility for compliance, but specific roles and responsibilities also must be created, and appropriate authority delegated to oversee specific program components.
4. Program dissemination, communication, trainingGaps in communication and training will undermine the effectiveness of any management program. The organization must take steps to effectively communicate policies and procedures to all employees. These steps might include, for example, requiring all employees to participate in training programs, and the dissemination of information that explains in a practical and understandable manner the expectations of employees.
5. Auditing, monitoring to measure program complianceThe organization must take reasonable steps to measure compliance with policies and procedures by utilizing monitoring and auditing programs. The best policies and practices in the world will not protect an organization unless they have the means to find out if employees are, in fact, complying with those directives. This is the role of auditing and monitoring: to provide management with a method of measuring and improving database management programs.
6. Effective and consistent program enforcementProgram policies and procedures must be consistently enforced through appropriate disciplinary mechanisms and the proper configuration and management of related systems. The existence of a compliance program is not sufficient; effective and consistent enforcement of program policies and procedures is essential in order to minimize liability and risk.
7. Continuous program improvementManagement programs have a finite useful life. Organizations must continuously evaluate the effectiveness of their access control database management program. Mergers, acquisitions and workforce changes can all affect the database and, consequently, the database management practices. If improper or ineffective program management is detected, the organization must take all reasonable steps to respond appropriately to the activity and to minimize or prevent future occurrences.
By following these seven basic principles, an organization will find that managing its access control database will be more cost effective, and less of a drain on its resources. There are numerous other critical steps that an organization must take in establishing an effective access control program in order to insure the systems database is properly established and accurate. However, that is for another time