Access Restrictions, Essay Example

As technology continues to advance and people around the world are connecting more through the powers of the internet, more and more companies are inundated with gigabytes of information and data.  More presently, companies must work in securing assets that are invisible to the public, for example, data is almost as essential as securing physical possessions. Organizations have to continue to defend their valuable data by putting resources into an access administration policy that controls workers’ information access rights, whether they are working in the workplace or remotely. For the purpose of this paper, it will look into the banking industry, in which services millions of people, and billions of data every day. One of the biggest banking corporations in the United States is Bank of America, in which handles over 50 million customers, and is positioned as the number one personal, corporate, and mobile banking company in the United States. (Bank of America, 2014)

In the past few years, Bank of America, along with several other large companies have been hit with data breeches that includes third party hackers, accessing employee and executive data, as well as in 2011 with insider data breaches.  The first crime involved one employee that stole customer data and sold it to criminals which cost up to $10 million. (Adams, 2011). The second incidence another employee was charged with stealing over $200,000 from Bank of ATMs.  More importantly these recent and past incidents have forced Bank of America to re-look at they manage employees access to customer and company information. In several large colorations that deals with vast amounts of information such as in the banking industry, there is usually three levels of information access that includes, no-access, read-write access, and read-write access.  Using these three levels, it is normal that within these companies, that are several cases in which these levels are primarily in use every day.

No-Access: The low level Bank of America employees usually work in greeting customers when they come into local branches. In this case, these low-level employees have a no-access level, in which they are restricted to the normal company emails, and bank information. In the second case, an employee wants to look up other employee’s information, without consent. In this case, the employee was regulated to no-access level, because they place the company at risk.

The third case follows a bank employee that wanted to look up files that were marked Confidential in the system. The employee wanted access to financial reports that pertained to the branches delegation of finances. As the employee was only a teller, not only were their denied access, they were also given a warning on the implications of their level of access. In the fourth case, a bank employee wanted to access customer information in order to sell to the highest bidder. Working with other criminals, the employee wanted to sell customer social securities, and other confidential information in order to gain access to other accounts. When the employee went to access this type of personal customer data, they were denied, due to their no-access level restriction. This type of restriction is necessary because it prevents incidents in which user day is placed in jeopardy to be used illegally.(Cisco, n.d) In the fifth case, much like the forth case, the employee wanted to access customer’s information for their own personal gain. The employee was soon to be a fired employee, and wanted to access the manager’s information to use it against them. Instead, their access was denied because the bank placed restrictions on their employees’ access. This change is necessary because it prevents ex-employees from selling, or using information to sell to the next company.

Read-Access level: For this level, it provides staff and employees with the ability to only read documents. In these cases, the employees can access and read the documents for their job use. The first case where this is used in the company is when a customer comes in to look up their account information. The customer wants to know about their interest rates, and their mortgage agreement, while the employee has the ability to access the confidential files, they only have the ability to read the documents, and not make changes. This is important because the customer has a set an agreement, and it isn’t advisable for the employee to change it on the customer’s behalf. (Cisco, n.d)

The second case, the employee wants to access documents in which to better organize their system’s folders. The employee is deleting documents, she feels are not important, when she access a company document in which unbeknownst to her is read only, she goes to delete it but is denied due to her level of access. This proves to be essential in the fast paced industry, in which some employees could delete confidential information. Setting as read only prevents this mishap. In the third case, the employee is planning to leave for another company, and goes to delete and try to move confidential information in order to share with a competing bank. When he goes to access the files to move them, his access is restricted to read only. This is important because like in the no access restriction, the employee is prevented from giving confidential data away to other companies, which can place the company at risk. (Wiech, 2013) In the fourth scenario, a low level employee wants to change some files in which is saved in the system. These files cover the attendance, and other documenting information around the branch. The employee has been late a few times, and doesn’t want it to be known for the employee performance review. Thinking they can make changes to the document, they are denied, due to their level of access. In this case they can only read instead of making changes. The fifth case deals mostly with trying to make unauthorized changes to confidential data, from high level executives. While their access is mostly unrestricted, there are areas in which they are regulated to read only, in case there is unintentional or unauthorized changes.

The last level is read-write access, in which is used commonly in the banking industries. The first case deals with employees that work remotely with clients, they have the permission to look up documents and edit, because they have been granted access to do so. In the second case, the IT executive in the bank, has the permission to read-write pertinent documents as it pertains to the company website management, and the user information. In the third case, the branch manager must read and modify changes to necessary documents before sending them to headquarters, to look at the branches performances. In the fourth case the branch manager’s assistant has been granted access to read-write documents, as she has been entrusted by the boss to work in level of confidentiality. The fifth case, deals with the high level executives in Bank of America that have permission to access read-write documents in order to modify, change, or delete at their discretion as it pertains to the dealings of the company. These cases involve individuals that are not trusted to work with integrity, but also a level of authority in which they trusted with confidential information.

In the case of the remote worker or contractor, they would be granted the level of no-access. They hired on a contract basis, and while they should be entrusted to work with the company’s information in a confidential manner, they should not be allowed to access customer information, or other confidential data. When contractors have the ability to work in the cloud they can access to high level files, in this case the organization has to place restriction on contractor’s access, in order to not place at risk the company, the customers, or other employees’ personal data. The contractors act on the company’s behalf, however, they shouldn’t have access to files that can place the company at risk for data breach, hacking, or stolen identity of customers.  This places the company at risk for lawsuits, tarnishing of their reputation, and monetary consequences.

References

Adams, John. (2011). Bank of America Gets Hit Twice by Access Abusers. American Banker. Retrieved from http://www.americanbanker.com/bulletins/breach_data_insider_fraud-1038203-1.html

Bank of America. (2014). Bank of America. https://www.bankofamerica.com

Data Leakage Worldwide: Common Risks and Mistakes Employees Make. (n.d). Cisco. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.html

Wiech, Dean. (2013). HR’s Role in Identity and Access Management. Innovation Insights. Retrieved from http://insights.wired.com/profiles/blogs/hr-s-role-in-identity-and-access-management#axzz37nqS39jj