The central hub for security settings on your HR system
The myhrtoolkit Security Centre allows controllers oversight of password and network management. It is accessed via the Settings menu at the top of the screen.
The function is divided into two sections, a Dashboard and an Audit page.
The Overall security score is a measure of the security of your HR software system. It is based on options relating to your password preferences (as set in the Password builder), the strength of users’ passwords, and other measures listed. It is expressed as a percentage.
Note that not all options are appropriate for all organisations. For instance, the Security Score allows 20 points for restricting IP Addresses; however, if your organisation does not require the use of the IP restrictions, the overall score will never pass above 80. This should not necessarily be understood as a lack of security.
The Manage live users module gives an overview of the users in the system, including a measure of their password strength, and options regarding the security of their account.
Note – this does not include ‘Non System Access’ users, as they do not have active passwords. ‘Non System Access’ users can be found in the more general function Management > Bulk data > People > Manage users.
The following options are available via the Action button:
The Password strength module gives a clear overview of the strengths of users’ passwords, and how many fall below a standard of a ‘good.’ There is an option to force all users with weak passwords to change their password. This will enforce any new password strength options that have been set.
The Password builder module sets a minimum standard for user passwords. When alterations are made, a 'Save' button will appear. When pressed, the Overall security score will update itself to reflect the new settings.
Making changes here will not affect current passwords, only passwords for new users or passwords when amended.
Further reading can be found in the myhrtoolkit support article about password strength.
Different methods of storing passwords (and their implications) can be found in this Guardian article concerning password security.
This module allows an additional level of security to be applied. An overview of this functionality is available in the myhrtoolkit Enhanced Security support page.
Sometimes it can be useful for an organisation to limit access to specific IP addresses e.g. the office. The myhrtoolkit system fully supports this.
The Security audit log module lists security changes that have happened over a six month window in a myhrtoolkit system. It tracks the following changes:
Note – with changes to passwords and security questions, only the event happened is recorded, not the actual password or security answer.
When your system senses that an account is being targeted in a brute force password attack, the login function will be throttled, cutting down how often a login request will be processed for that account.
The Secure login throttle log shows when this has happened, and can highlight to a Controller that they have either been subject to an attack, or that the user is struggling to remember their password and may need help.
In the event of a throttle being put in place, an email is sent to the system email of the account targeted and the Controller is notified.
The Audit page of the Security Centre contains two sections, the Security Audit log and Secure login throttle log.
The Security Audit log hosts all the types of security events tracked by myhrtoolkit in a filterable grid.
The types of security events are:
In addition to the Audit log, as noted in the Dashboard section, when a brute force attack is detected on a user account, the system will attach a throttle to the account. All detection events are recorded in the Secure login throttle log.
(This image is from a myhrtoolkit HR system which has had the good fortune not to have had any throttling events!)