7 Database Management Best Practices Every Campus Should Implement
Basic database management steps such as standardization, maintenance and integration can help you avoid huge headaches down the road.
Poor database management can cause significant damage to an organization. For example, in 2014, Ricky Joe Mitchell, a former network engineer at Charleston, W.V.-based oil and gas firm EnerVest, was sentenced to four years in prison for sabotaging the company’s computer systems. Shortly after learning that he was going to be fired from the company in June 2012, federal authorities say Mitchell admitted that he accessed EnerVest’s computer system and reset their network servers to factory settings. Before the company could revoke his physical access, Mitchell also entered one of the company’s offices after business hours and disconnected pieces of network equipment and their associated cooling system. Mitchell’s actions resulted in EnerVest not being able to fully communicate or conduct business operations for nearly a month, as well as hundreds of thousands of dollars in recovery costs.
In 2008, Lonnie Denison, a former contract computer technician at the California Independent System Operator (Cal-ISO), the agency responsible for controlling most of the state’s electric grid, was sentenced to six months of house arrest for entering a control room at their power grid operations center and hitting a button that initiated a computer shutdown. Although they lost communications, power flows were not interrupted. The incident was particularly egregious considering the agency had been warned by Denison’s employer just days earlier that his access privileges should have been revoked. Denison was able to gain access to the facility via a card reader and handprint scanner.
These are only two of many examples of disgruntled workers who were able to cause significant business disruption to the organizations that once employed them, and they specifically highlight the crucial role that database management plays in access control. In a day and age where people are constantly looking for the latest gadgets and systems to secure their facilities, the reality is that without good old-fashioned policies and procedures, the benefits provided by even the most technologically advanced solutions are for naught.
However, there are a number of relatively simple steps that can be leveraged to mitigate the threats posed by not only malicious insiders, but also others who would seek to inflict physical or financial harm on an organization, its employees or stakeholders. Here are seven database management best practices that security leaders in all vertical markets should implement for access control continuity:
- Regularly Update and/or Purge Employee/Student Rolls: As evidenced by the aforementioned examples, failing to immediately update your active directory per changes in a worker’s employment can have dire consequences. While it may seem like a fundamental task that every organization should perform with regularity and as needed based on the status of individuals with access to sensitive locations, the fact is that unless an access control system is tightly integrated with another database within a company or institution (see more on this below), this most basic of steps can and does fall through the cracks. It’s not uncommon within some companies to have duplications of the same record, misspellings of names, as well as changes or revocations of access privileges.
- Streamline Database Synchronization: An access control management platform should not be a standalone system within a healthcare facility, educational institution, business or government agency. Rather, there should be tight synchronization between it and another feeder database, such as a registrar’s office in the case of a college or human resources (HR) department within a corporate entity. The security department does not “own” the records of employees or students but is simply managing them within the access control system. As such, security should not be creating separate data files on these persons but merely enabling them with access to places on a campus or within an office as designated by the access level they enjoy per the organization’s policy. Once you start manually entering or removing information from these systems haphazardly and bypassing the business logic, they can become unwieldy and a nightmare to manage.
- Integrate Workflow Management: Whenever someone, such as a student, employee or contractor, is added to your rolls, there should be default permissions that are granted to these individuals based on certain criteria entered into mandatory fields within your database. This helps prevent mistakes from being made about a person’s access privileges and ensures that they only have access to the locations where they are allowed during designated times. For example, it may be necessary for chemistry students to have access to lab facilities on a university campus during certain hours, while the same is probably not true for those pursing a communications degree.
- Standardize Exception Reporting: There are times when people will undoubtedly need to be granted access to areas of a facility or campus that fall outside their normal purview. It is critical that these exceptions be closely monitored and quickly changed when that access need is over. In a school, for instance, perhaps this should be audited with each passing semester or, in the case of an enterprise, on a weekly or monthly basis. Company stakeholders, such as those who run a specific business unit or department, need to know who has access to potentially sensitive areas and have the ability to revoke that access permission on an ad hoc basis without revoking default privileges.
- Perform Routine Maintenance and Upgrades: Once you have tight synchronization between your feeder databases and your access control system, it is paramount that you keep them up to date on the various software updates and patches issued for the applications and operating system you use. It makes little sense to make the financial investment and devote the manpower resources necessary to integrate these systems and then allow them to become antiquated or, worse yet, easily vulnerable to hackers because your IT department or integrator failed to apply the proper patch.
- Establish Clear Naming Conventions and Mandatory Fields: This is perhaps one of the greatest mistakes organizations of all sizes make in managing their databases. By not having clearly established policies in place on naming conventions and mandatory fields, you’re leaving this crucial aspect of database management at the whim of personnel to enter the way they see fit. Unless you have a strict and enforceable policy that requires identity and other information on someone to flow directly from HR or another source within the organization, you’re setting yourself up for failure. If you enter this information manually from person-to-person based on varying access needs, you will end up with a very inconsistent and unpredictable system.
- Implement Automated Reporting Procedures: Similar to logging exceptions made within a database for a user, organizations should also consider leveraging some kind of automated reporting system that alerts management to certain red flag behaviors. A data center manager within an organization, for example, may want to have a report delivered to his email inbox every Monday morning to see everyone who entered the space after hours as well as everyone who attempted to access the facility but was rejected. These types of automated reports can alert organizations to potentially suspicious activities by employees and help them more easily stay ahead of threats.
Adopting these best practices doesn’t guarantee that someone won’t be able to circumvent the safeguards you put in place within your organization. However, by implementing these and other measures, you’ll give yourself a better opportunity to not only mitigate malicious acts but also achieve greater operational efficiencies.
Mitchell Kane is president of Vanderbilt Industries.
Add Another Layer of Protection to your Campus
If you’re responsible for protecting a campus — whether at a hospital, K-12 school, college or university — then Campus Safety magazine is a must-read, and it’s free! As the only publication devoted to those public safety, security and emergency management personnel, issues cover all aspects of safety measures, including access control, video surveillance, mass notification, and security staff practices.
Take advantage of a free subscription to Campus Safety today, and add its practical insights, product updates and know-how to your toolkit. Subscribe today!