It is our goal that after reading this document, an OASIS administrator will have a number of recommendations to help keep the OASIS application more secure and limit access to users as needed.
Ingen Software recommends that there be a minimum of two "superusers" or full OASIS administrators at your company. This way, only certain people have full access to the software for configuration changes, global setting changes, user configuration, and software version changes. If one OASIS administrator is out of the office or on vacation, there would still be another full admin who could make configuration changes if needed.
There generally should not be a scenario where all users are full administrative users.
The demo account is meant to provide a full administrative user account that can create the initial user accounts and workgroups for your company. Once full admin accounts have been created, this account should be inactivated. (This prevents a scenario where there is a full admin account with no password.) All user should have their own user account. Users should not share accounts.
- Note: Disable / Inactivate the demo account after initial setup. Do not delete the demo account.
- It can be reactivated if needed in the future.
- User accounts should be created for all unique users.
- They should never be reused or renamed if an employee leaves the company and a new employee replaces them. This ensures that historical records for all users are preserved.
Passwords are a standard security measure that should always be utilized.
- Each user account should have secure password. While OASIS does allow for user accounts with no passwords, you should always set a password.
- Passwords should be changed regularly.
- Old passwords should not be reused.
- Passwords should not be shared. The purpose of having a user account for each user is to know who created, edited, or deleted what item at what time. Sharing passwords defeats this purpose.
User Access and Security Rights
Limiting access is an important way to protect and secure information within the database. Failure to properly grant or limit access could result in users accessing information outside of their department, such as quoters or intern employees being able to access commission payment information.
- Only OASIS Admins should have full security access rights.
- Users should be granted access rights based on department or job description. Use this document as a guide for assigning security rights.
Being able to access OASIS remotely is important for customers with multiple offices, or when employees need to work from home in the event of inclement weather.
- Do not allow direct access to the database port for external access.
- Use a VPN or terminal server.
Up to Date Servers and Software
Current operating systems are constantly being updated with security patches and features. This is increasingly important as security flaws are discovered and patched on a daily basis. However, operating systems have lifespans. Once the vendor stops supporting the operating system, it will receive no more security updates.
- Make sure you are using a supported operating system.
- Make sure all available patches and updates are applied in a timely manner.
- Make sure you are using the latest OASIS server updates.
Communication is very important between businesses. Important notifications such as yearly maintenance and support invoices could be missed if outdated contact information is on file.
- Keep us and any of your IT providers updated with the proper contacts.
- It is also important to note who has the authority to make business decisions.