A successful security strategy is a compromise between several competingcosts, values and risks. Costs are relatively easy to balance because they aredirectly comparable numbers. High initial implementation costs may be offset bylower maintenance and administration costs.
Risks and values are somewhat more difficult to precisely quantify inmonetary terms and may come down to the judgment of management and HRprofessionals. The following are some of the costs, values and risks you shouldconsider.
- Implementation Costs
- These are the initial costs of planning, projectmanagement, hardware, packaged software, development tools, consulting,maintenance support, contract labor, internal development resources, validationand initial data loading from the first day of the project through the first dayof production operation. These costs vary widely with the size of theorganization, performance objectives and the authentication and access controlchoices made.
-
- Cost of Maintenance
- These are the software licensing, software and hardwaremaintenance and system support costs required to keep the system in operation onan ongoing basis. These costs also vary widely with the size of theorganization, the performance objectives and the authentication and accesscontrol choices made.
-
- Cost of Administration
- These costs are those personnel costs for HR and ISprofessionals who maintain the security system. If the integrity of personneland access control data is in question, reliable execution of access controlrules is not possible.
-
- Risk of Improperly Granted Access
- This is the financial and business lossexposure to the corporation of confidential information falling into the wronghands. Some areas to consider are business losses by exposure of operationalinformation to competitors, employee morale, productivity, personnel costsrelated to improper release of compensation information and litigation costsfrom the improper release and use of confidential personnel information.
-
- Risk of Improperly Denied Access
- Nothing is more frustrating than beingdenied access to information you need to properly do your job. Improperly deniedaccess can prevent: a product from shipping; a customer service representativefrom satisfying a customer; an HR representative from taking care of acomplaint; or, an employee from accessing his own benefits information. Thepossible costs here are from business losses and decreased workforce morale andproductivity.
-
- Risk of Litigation Exposure
- Personnel information is, by its very nature,private and confidential. It is the responsibility of HR professionals tosafeguard employee privacy by controlling access to personnel information. Abreakdown in this area and the resulting misuse of this information can exposean organization to significant litigation expenses and monetary damages.
-
- Value of Improved Access to Information
- Information can empower people. Thevalue of this may be difficult to quantify in dollars, but improvingin-formation access makes employees more productive and generally increases jobperformance and satisfaction. Employees are happier and more motivated when theyfeel they have been given the best tools to perform their jobs. These effectsmay be cumulative and, in some cases, can transform an organization.
-
- Value of Court-Tested Non-Refutability
- Even with the best security, thereare cases where employees attempt to misuse their privileges. Personnel actions,because of their impact on employees’ careers and the possible financialincentives for misuse, sometimes lead to litigation. The investigation of whathappened and who is responsible requires a reliable audit trail for personneltransactions and strong authentication to tie the audit log to the correctusers.
None of this has much value if it is so easily countermanded that it can’tstand up to courtroom scrutiny. The stronger the authentication the better.Digital certificates are currently considered a best practice and have legalprecedent to support their proper use for authentication and digital signing.
By Robert H. Fortenberry, Information System Consultants. From IHRIM’s”e-Work Architect: How HR Leads the Way Using theInternet.”