work
CONTROLLING WHO IS ACCESSING YOUR DATA
14
With various information security standards to adhere to , Mercy Health and Aged Care Central Queensland Limited ( MHAC ) needed transparency into who was accessing its data , and what they were doing with it . In addition , with nearly 400 workstations and a user base of 600 , MHAC also needed an easier , holistic approach to control access .
Marcia Healy , Information Systems Officer for MHAC , explains , “ As part of compliance with various legislatures , we needed a mechanism to provide visibility into who was accessing our data . We were also conscious that our IT team were receiving , and provisioning , access requests which , although technically capable , they did not have adequate data context , value or other relevant insight on which to base these decisions .”
© stock . xchng / ArminH
MHAC also knew it needed to improve visibility , and control , of users ’ access rights . Marcia explains , “ We knew that certain groups had various access rights , through NFTS permissions . However , this was exceptionally complicated as we did not have a holistic view . We needed transparency to be able to monitor who was accessing information and identify what they were doing to it .” Due to the nature of the organisation , MHAC ’ s workforce includes a large percentage of shift workers , further complicating users ’ access permissions .
MHAC has met these challenges using Varonis DatAdvantage and DataPrivilege . This solution allows MHAC to identify who is accessing its information and what they are doing with it . With a complete audit trail , MHAC can prove policies are in place , and being adhered to , to satisfy compliance with various national and international information security standards .
Starting with one of its aged care facilities , MHAC used Varonis to maintain the management of data ownership . From this point it nominated , with the help of the system , data owners who were then trained in managing their own data privileges .
Marcia explains , “ The solution automatically identifies who the likely data owners are and they are then empowered to assign the permissions for their information . Anyone who needs access to files can raise a request , which is directed to the relevant data owner automatically who provisions the request . It also allows us to remove access rights from groups , without having to go through them one by one , when someone terminates their employment , which previously was a huge job .”
MHAC has already started to classify data , and identify data owners , in other parts of its business . In the coming months , it will meet with all its clinical quality and risk staff to introduce them to the system and train them in its use , before fully rolling out across the organisation .
Marcia clarifies , “ From our first integration we discovered that its user-friendly interface means it ’ s very easy for people to use and training isn ’ t too arduous . The fact that it ’ s also supported by automated workflows , in email , is a real benefit as it ’ s simplistic and users are familiar with the interface .”
Speaking specifically about the improvements MHAC has been able make , Marcia concludes , “ An immediate benefit is , by removing the onus of this responsibility from IT , the process of provisioning users becomes far more efficient as people are now dealing direct with managers who can action the request immediately . It also strengthens security to sensitive data as the appropriate person is making the decision of who does and doesn ’ t have access . This is great both morally and administratively . Although we haven ’ t made a full cost analysis , we predict ROI within three to six months , which is just phenomenal .”
This issue is sponsored by — Kyocera Document Solutions — www . KyoceraDocumentSolutions . com . au