Page 344 -

P. 344

Chapter 8 Securing Information Systems 343

FIGURE 8.3 ACCESS RULES FOR A PERSONNEL SYSTEM

These two examples represent two security profiles or data security patterns that might be found in a
personnel system. Depending on the security profile, a user would have certain restrictions on access
to various systems, locations, or data in an organization.

Figure 8.3 is one example of how an identity management system might
capture the access rules for different levels of users in the human resources
function. It specifies what portions of a human resource database each user is
permitted to access, based on the information required to perform that person’s
job. The database contains sensitive personal information such as employees’
salaries, benefits, and medical histories.
The access rules illustrated here are for two sets of users. One set of users
consists of all employees who perform clerical functions, such as inputting
employee data into the system. All individuals with this type of profile can
update the system but can neither read nor update sensitive fields, such as
salary, medical history, or earnings data. Another profile applies to a divi-
sional manager, who cannot update the system but who can read all employee
data fields for his or her division, including medical history and salary. We
provide more detail on the technologies for user authentication later on in
this chapter.

DISASTER RECOVERY PLANNING AND BUSINESS

CONTINUITY PLANNING
If you run a business, you need to plan for events, such as power outages,
floods, earthquakes, or terrorist attacks that will prevent your information
systems and your business from operating. Disaster recovery planning

MIS_13_Ch_08 Global.indd 343 1/17/2013 3:10:21 PM

339 340 341 342 343 344 345 346 347 348 349