Security Procedures to Safeguard Automated Data

Soler and Peters (1993) suggest the following levels of security to safeguard automated data systems:

• "Security of the physical environment. Data tapes and disks should remain in locked rooms when not in use. Access to these materials should be strictly controlled, with chain-of-custody controls on the people who move tapes and disks. Agencies should maintain logs for recording the location of all disks and tapes at all times. Access to computers tapped into the data should be strictly limited.

• Security of online data. Once the information is stored in the computer system, agencies should limit access to it. This usually involves a series of passwords. Each password allows the user to get deeper into the system, depending on his or her authorization to have that level of information. Security is maintained if each user knows only the passwords that allow access to the information that the user has a legitimate need for. Some information may be so sensitive that agencies will prefer not to enter it into any computer database subject to access from outside agencies.

• Use of identifiers to mask personal identities. Agencies should identify individuals whose information is in the system by codes, not by personal names. One of several identifiers could be used, including agency-assigned identifying numbers. Some systems have specialized methods for developing identifiers, such as using certain letters from the client's last name. In theory, only one person knows the true identity of the person, the person who enters the information initially into the computer and assigns an identifier. This technical breach of confidentiality is usually considered minor and inconsequential." (p. 18)

In their report titled Standards for Data Exchange and Case Management Information Systems, Constantine, Aronson, and Wilber (1994) propose the following system security standards that are related to confidentiality: password protection; multiple levels of security with "capability of restricting what data may be accessed, which reports can be run, and which system functions can be accessed by that individual user" (p. 94); online security controls; and automated screen blanking/lockout. For further details on this report, refer to standards for data exchange and case management information systems.