Users put data where they need it, and they don't think about who has to know what they're up to in order to protect the data. The problem for security staffs is identifying where all the data is and making sure the proper controls are in place to protect the information.

We recently discovered that agency personnel often create Microsoft Access databases to help them manipulate data and create reports. The users who originate such databases, or the heads of their departments, may be deemed the owners of the data, but IT remains its custodian. Unfortunately, many data owners don't understand the concept of security controls, or even the need for them. It becomes the responsibility of IT security to implement the necessary controls.

Ideally, IT security would understand how people work, what they need and what they are trying to accomplish. Then we could get in front of any effort to manipulate data to make sure that something like an Access database has the proper security controls in place. That's not usually how things go. Generally, data is saved in various formats and then e-mailed, transferred, shared and printed. Afterward, the original data has morphed and has numerous owners and locations.

The realization that users were putting data that could be considered sensitive in Access databases meant I had some homework to do. I have very little understanding of how to secure an Access database, but whenever data that is considered electronic protected health information under the federal Health Insurance Portability and Accountability Act is involved, I have to make sure it is well protected.

I asked the IT person who provides Access database support how such files are secured. At first I got a blank stare, but then he responded, "We rely on file system permissions, basically." That made sense. Access output is treated like output from any other Microsoft Office program, such as Word or Excel. But I needed to know more.