LP101: Data Security and Access Control

Data Security Data Protection

Computer systems, data networks, and the information that resides on them are critical assets of any retail organization and integral to the success of the company’s mission, goals and objectives. As a result, these vital systems require proper data security and protection to ensure availability, confidentiality, and integrity. As retailers adopt business models that provide employees, business partners, suppliers and customers with greater access to this sensitive information, we not only enhance our business opportunities—we increase our risks as well. As escalating issues have continued to intensify and the need to secure both our information resources and our facilities has risen exponentially, companies have recognized this need and are responding to it.

Managing the security of our information lifelines requires comprehensive solutions that meet the needs of the dynamic retail environment; and identifying critical data security requirements and incorporating them into our processes and operations is an important starting point. Every organization should embrace security solutions based on the risks that they face as part of their day-to-day business operations, establishing standards and practices that meet the company’s unique data security needs.

They should protect data from theft, unintended disclosure, deletion, manipulation and other unauthorized use. They should include multiple layers of data security without creating excessive management complexity. They should ensure that data security processes are incorporated into our overall business processes while remaining focused on productivity and necessary access to needed data. All such security measures should be based on the functional nature and level of importance held by the systems, network resources and data involved. Some important questions would include:

- Sponsor -

• What data is used and stored on the system?
• Who uses or otherwise has access to the system?
• How do users access the system?
• What functions does the system provide, and what is the relative importance of those functions?
• Are there other networks, programs or users that share the system? What is the potential connectivity to other networks and/or users?
• Where is the system physically located?
• How are data backups made, how frequently, and where are they stored? Who has access to them?
• Are there any regulatory or statutory requirements that we have to consider?

Addressing these and other critical questions and evaluating data security practices and programs that safeguard the availability, confidentiality and integrity of our systems are essential aspects of our protection programs. It is important to understand the scope of these risks and the potential problems that may exist in order to best serve the needs of our companies; implementing appropriate protocols and reacting and responding as necessary and appropriate.

Access Control

Access Control is the ability to monitor and regulate who has access to sensitive areas and/or information. Designed to restrict privileges based on an individual’s identity and successful authentication, access control is commonly applied to the retail world in terms of physical security, computer security, and network security systems.

The primary component of any access control system is the development of criteria by which access levels to both areas and individuals are assigned. Role and policy-based controls enable the building of complex rules that govern various levels of accessibility to areas and/or information, ensuring security controls while providing adequate access and productivity to meet the various needs of the business. Simply stated, we want to design a system that is secure, but allows that the appropriate individuals have access to the areas they need to do their jobs; and in a way that is not a hindrance to day-to-day activities.

Computer Operating Systems

When referring to computer security, access control is the process by which we direct or control access by users to computer systems, and/or data found on a computer system. It permits company decision makers to specify what users can do, which resources that they can access and what operations that they can perform. This is typically broken down into three essential services:

Identification & Authentication: This data security validation determines who can log on to a system. It is the process of verifying a user’s identity for the purposes of using the system, during which time an “authenticator” is established. Authenticators are typically based on at least one (but sometimes more than one) of the following factors:

• Something you know, such as a password or personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN necessary to access the account.
• Something that you have, such as an access card or token. Once again, this assumes that only the owner of the account has access to the card or token.
• Something that you are, which might involve fingerprint identification, voice recognition, retina scans or other devices
• Where you are, for example whether inside or outside the company firewall

Authorization: This data security protection determines what you can do once you are in the system. Most operating systems define sets of permissions that are variations or extensions of three primary types of access:

• Read information found in the file contents
• Write or modify the contents of a file by adding, creating, deleting or renaming files or information.
• Execute the file if it is a program (cause the program to be run).

Accountability: This data security process uses system components to track and document what the user did and where they visited while using the system. Such audit trails can be effective ways to detect security violations and recreate user incidents.

Even the simple mistakes of well-intentioned team members can pose a significant threat to operations. As a result, every retail company must carefully evaluate their specific data security needs and determine the most appropriate and cost-effective measures to restrict access and protect their information resources.

With the perpetual evolution of new equipment, technology and security techniques, it can be easy to forget that the problem that all of these advancements are trying to solve is neither technical nor complicated—keeping unauthorized and ill-intentioned individuals out of places where they don’t belong.

LPF LogoBy capitalizing on opportunities to enhance our knowledge and education, we are making an investment in our own future. To learn more about developing your data security skills and the certification process, visit losspreventionfoundation.org.

 

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.