infor.com
concierge
infor u
developer portal
Home
Groups
Lawson - Human Resources Customer Community [READ ONLY]
Encrypted employee data
plancor
Our auditors recommend that identifying employee data (ie social security number) be encrypted in the database. This doesn't appear to be the case with the Lawson database. Has anyone dealt with this audit issue? If so, could you share your solution?
Find more posts tagged with
Infor Lawson Human Resources Group - Discussion
Comments
slivak
As long as access to your database is secured by a username/password and you have appropriate policies in place (hardened/updated firewall, enforce quality passwords, no password-sharing, etc.) then this shouldn't be an issue.
It's also a good idea to remove SSN from all printed reports or at least mask all but the last 4 digits.
You may even go as far as identifying Lawson user roles that absolutely do not need to see SSN and setting up data security to asterisk-fill them on screens and reports.
plancor
The auditor noted that without data encryption, a backup could be used to view all data in any table.
asztudenyak
Yikes. I have never worked anywhere that had such a requirement. Certainly mask numbers on reports, but not encrypt the database data. I can't imagine the impact on processing, when you have to unencrypt those values all day long.
unknown
The purpose of the audit is to identify risks. As long as you can speak to the "deficiencies" you should be ok. Depending on how you perform the backup - lawson tools vs. rdbms tools - those backups/files could be encrypted. If the location where the backups are stored is protected with existing policies and procedures, the encryption may not be required.
slivak
"The auditor noted that without data encryption, a backup could be used to view all data in any table."
My answer to that: "Really?! Show me."
plancor
After some discussion with an S3 Technology support rep, we now understand that Lawson supports SQL Server "Encryption of Data at Rest". This means that the encryption occurs via the database - not via Lawson. Has anyone set up their enviroment using this?
unknown
I'm getting the same request from our auditor, did you implement the above in your environment?
plancor
We have not yet implemented "Encryption at Rest", but will need to before our next audit. We would also be interested in any words of wisdom others could offer who have actually implemented this feature.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Help
Popular Tags
Infor Lawson Human Resources Group - Discussion
Infor Lawson Technology Group - Discussion
General Discussions
VISUAL - Enterprise General Discussions
Infor Lawson Supply Chain Management - Discussion
Process Automation (IPA) - General Discussions
Pegasus - Partner General Discussions
Infor Lawson Supply Chain Group - Discussion
Infor Lawson Financials Group - Discussion
Infor EPM Discussions
