Tag Archives: timesheet security

Security resources for TimeControl are plentiful

Here at TimeControl Headquarters, we think about security all the time.  Security for modern day applications is a multi-faceted conversation.  We have to think about keeping TimeControl safe of course and that effort goes all the way into the architecture as we think about database access, application protection and more.  With TimeControl Online we have to consider the environment as well including the servers, malware protection, monitoring and more.

Aside from keeping the application and its underlying structure safe, we have to also think about security from an application standpoint.  TimeControl’s internal security includes everything from authentication and single-sign-on to data access, menu control and down-to-the-field level controls on every aspect of the product.

We use the OWASP security standards to test TimeControl and test for any vulnerabilities and eliminate them before TimeControl users would ever encounter them.

Aside from our own testing, we have a third party conduct a security audit to ensure we are SOC II certified.

Because TimeControl is available both for an on-premise deployment or as TimeControl Online, our Software as a Service subscription in the Cloud, there are different resources for thinking about TimeControl security.  Take a look at the TimeControl On Premise Security Architecture or the TimeControlOnline Security Architecture white papers for an in-depth look at security or stop by the TimeControl Security page for more information.

What button do I push?

 

userprofiles71.jpgLike most modern technology companies, HMS spends a great deal of time working on search engine optimization and key word analysis.  Last week one aspect of a report from our marketing team said that a keyword phrase that ended up causing a visitor to our website was “I’m in my timesheet and I don’t know what button to push.”  Now that’s a pretty specific problem from someone who wasn’t a TimeControl user but it highlights one of TimeControl’s great strength.

From the start of the very first timesheet that HMS created back in 1984 for one of our earliest clients, we knew that we had a design dilemma on our hands.  On one side, management had a long list of highly complex features for the timesheet including complex approvals, table management of many tables, reporting, integration with other systems and system management.  On the other side, we had the vast majority of users, more than 95% of them, who would be looking at the timesheet for about 5 minutes per week.  So, on the one hand, we had complex features needed, on the other hand we had absolute simplicity needed.

That’s where User Profiles came from.  User Profiles is what lets TimeControl present one set of data and functionality and rules to one set of users and a very different set of data, functionality and rules to another.  Using User Profiles, Administrators can configure TimeControl to show only those menu items, data selections and options that particular users require.  So, a regular timesheet user who looks at TimeControl for 2 minutes a day or 5 minutes a week and has no commitment at all to mastering the flexibility or nuances of TimeControl will only see one or two tabs and three or four functions.  Even the default pages of how TimeControl starts can be defined so a user might even start their timesheet in the timesheet view rather than the default dashboard.

This functionality has been so successful that there has never been a training manual for end users.  Oh, there is a user manual of course and there are some 5 minute Online Training videos for people to look at but these are rarely an issue.  That’s because for end users there are very few buttons to consider and the presentation of data in the format it’s expected makes the use of the timesheet intuitive.

There can be an unlimited number of profiles because TimeControl is designed to serve many purposes at the same time.  So a super-user type of Administrator with access to all data and all functions is a must but there may be other specific types of Administrators or perhaps something specific for Supervisors or Project Managers or Crew Entry personnel with TimeControl Industrial or Payroll managers and so on and so on.

TimeControl ships with four template User Profiles to start with but they are always reviewed during deployment and it is would be quite unusual to find two organizations with profiles that are exactly the same.

Even though User Profiles has been one of the most successful aspects of TimeControl since its first version, and even though there are some aspects of User Profiles that have carried forwards since version 1, we continue to make enhancements as features of TimeControl evolve that we wish to have secured or made available only to certain user roles.

User Profiles will continue to play a prominent role in configuring TimeControl deployments to match the specific business challenges that clients are working to solve.

 

TimeControl on-premise security architecture white paper rewrite

tc7secure_cover_300x389.jpgWith the launch of TimeControl 7, we are gradually working through updating the vast array of TimeControl resource that are available online.  This week saw a rewrite of the TimeControl On-Premise Security Architecture white paper which is now available on the TimeControl.com website.  Rewriting such material gets everyone thinking about the subject matter so security turns out to be one of our most popular internal conversations this week.

To be fair, security has been a topic of conversation for the TimeControl developers since long before the first version of TimeControl was released.  The first ever timesheet that HMS created was 10 years before TimeControl.  Our client, Philips Information Systems in Canada needed a timesheet that would integrate with both the Payroll system and the Project Scheduling system.  Security was a huge element of the design as the data for Payroll was, of course, very sensitive and the costing information in the project system was information that would have been terribly damaging to the company if it fell into the hands of competitors.

That original HMS timesheet was very secure for its time and there are elements of that design that live in TimeControl still.  But times have changed and the threat of data and systems compromise has become ever more sophisticated each year since that first timesheet system.

While the TimeControl On-Premise Security Architecture reveals many of the elements of the TimeControl deign that lend themselves to a safe and secure system, it is primarily a document that lets prospective clients review TimeControl against their own security standards.   Yes, we use the latest in many technology designers in TimeControl and we test against the OWASP standards (owasp.org) looking for potential threats and ensuring we protect against them but there are risks that you can implement at that are beyond the security architecture we designed for TimeControl.  Here are a couple of basic tips you can think about regardless of your size:

  1. Have a security plan for your key systems and data and choose someone to be accountable for it.
  2. Authentication is key.  How do people authenticate to your network, to your applications and even to your building.
  3. Outward facing or inward?  Does TimeControl need to be accessible to the Internet or will it serve your purposes just as well being available only within the corporate firewall?  Inward implementations aren’t as easily accessible and that can mean they’re safer.
  4. Don’t forget physical security.  If someone can get physical access to the servers, they can get access to your systems.
  5. Monitor.  Make sure you take advantage of the many technologies available to monitor unauthorized access or out of pattern use of your applications, your data and your network.
  6. Functional and Data restrictions.  In TimeControl, User Profiles determine what users can see which data and which users can use or perform which functions.  Think about who needs access and don’t be scared to start with less access and later ease up on your restrictions.
  7. Disaster Recovery.  Make a plan for your data and systems being compromised and how you’ll recover from it.  Then do an actual practice to make sure your plan works.  Iterative and redundant backups and a plan for restoring them is something that makes security officers sleep better.

This is not a comprehensive list of course.  There are many aspects to a complete security plan that are better explained by specialists in that field.  We’ve been talking about TimeControl for an On-Premise implementation.  Next month as we upgrade TimeControl Online to version 7 we’ll be updating our Security Architecture white paper for TC Online and we’ll be sure to talk about that here in the blog.

You can find the TimeControl 7 On-Premise Security White paper at: TimeControl.com/resources/whitepapers