6 Replies Latest reply on Aug 16, 2012 6:24 AM by mpallia

    Confidential Data - Looking for a use case...

    MaggieJ

      Does anyone have an example where they have created an internal group that involved the sharing of very confidential data?

      If so, how did you manage the concerns of Admins having access and/or anyone gaining access without being granted?

       

      Thanks

        • Re: Confidential Data - Looking for a use case...
          Andrew Kratz

          Maggie,

           

          In this respect, your jive platform is not unlike email or really any other technology.  Users may not realize it but there are administrators to every system that do have complete access in order to support the system.  Most companies (certainly larger ones) have good guidelines that administrators can't "go fishing" for information.  Even areas such as legal and HR have to have compelling reasons to request technology to pull information to review as they may be violating an employees rights.  One safe-guard you can check on with your jive platform (or request to have implemented) is that Jive Administrators have separate ids from their normal user id.  They would only leverage their elevated ids as required by their job such as to troubleshoot an issue.

           

          email is a great example as there certainly are highly confidential pieces of information flowing through the inboxes of the c-suite.  Admins could look at this but don't becuase they are professionals and the company has guidelines around how they leverage their id's.  So it has worked for years with email, it can work the same way with a collaboration tool.

           

          hope that analagy helps.

           

          - Andrew

           

          P.S. I was not following your comment regarding someone gaining access without being granted?  How could that happen?

          1 person found this helpful
            • Re: Confidential Data - Looking for a use case...
              bchamberlain

              Andrew's comment aligns with what I have seen as well.

               

              • Setup a Secret group -- the only people who see that group will be the people invited to it. That addresses the "who has access question".
              • In terms of Admins, Andrew summed it up and that's what I've seen at our clients as well. I'd also recommend that Admins have a separate ID for "admin work" and a normal ID for their normal user activity.
              • There will always be IT admins that have access to confidential data whether it is in Jive, an HR platform, or other systems. (e.g. compensation data, benefits, merger information, etc.)
              1 person found this helpful
                • Re: Confidential Data - Looking for a use case...
                  mrowbory

                  Jive allows you to set admins to a 'Manage system' level this means they cannot see content for which they don't have access.  Also with social groups, remove the 'Manage social group' permission and they won't be able to see the content unless invited.

                   

                  It's possible for an admin on this level to give themselves 'Full Access' but this is recorded in the audit log. As long as your admin users each have their own admin login, you can track this.

                   

                  As other people have mentioned, there are always IT admins that have access in some way or other to important systems. This set-up does allow you to stop them casually coming across confidential data unless they deliberately intend to.

                   

                  Manage System:

                  Similar to Full Access, the Manage System permission grants control over all technical aspects of the admin console. However, it does not automatically grant access to all space content. If your system has content in spaces that should be kept confidential, grant this permission to technical administrators instead of Full Access.

                  • Re: Confidential Data - Looking for a use case...
                    mpallia

                    I agree that these are all good practices as we do the same thing here at EHI.  Also, you may want to better define what confidential is as we continually tell people PCI or PII info DOES NOT belong on our intranet as these are deemed "Highly confidential" in our organziation and thusly need additional security precautions.

                • Re: Confidential Data - Looking for a use case...
                  alex.mcknight

                  Andrew Kratz make a good point. Separate the ID's. We have 'mortal' logins smitha and then 'system admin' smitha_admin logins which has the elevated privileges but doesn't have email mailboxes and other 'normal user' stuff so "mr smith" has to use his mortal account for day to day work.

                   

                  We would also limit the amount of secret data that is in our system, unclassified and confidential is fine, but secret we are very careful where it goes (i.e. not emailed and always encrypted) so usually it lives in records management and no-where else. Its the usual story of security vs accessibility, in our case, if its 'Secret' then security wins, hands down, with the acknowledgement that its use will be impaired.

                  1 person found this helpful
                  • Re: Confidential Data - Looking for a use case...
                    MaggieJ

                    Thanks to all of you for your replies.  I need to do some digging to find out how this particular company has set up their admin guidelines/roles.  Love that you can do "Manage System".

                    Appreciate your valuable insights