• Hi All

    Please note that at the Chandoo.org Forums there is Zero Tolerance to Spam

    Post Spam and you Will Be Deleted as a User

    Hui...

  • When starting a new post, to receive a quicker and more targeted answer, Please include a sample file in the initial post.

Excel 2007 Security Best Practices

Vicki

New Member
Hello all! This is my first question at Chandoo, and I want to begin by saying thank you for the opportunity, and also thank you for all of the amazing things you do here. I've subscribed for over a year now, and - everyone here! - has taught me so many things, for which I'm eternally grateful.


I am a data analyst in the medical field. I spend 100% of my day playing with Excel and Access, and I love it! But, I've been wondering if anyone knows of any good guidelines when it comes to Excel Security Best Practices.


Because of the nature of the department I work in, I am required to create and distribute reports in Excel 2007 that contain HIPAA privileged data. We are very cautious about disseminating this data, sending only what absolutely needs to be delivered in order for the receiver to be able to perform his/her job. But, I am wondering if there is more that I could be doing to protect this data? So far, the security I employ is:


- Distributing the minimum amount of data, to only the person concerned (macros that email directly to a single recipient)

- Encrypting the files with a password (created by the person running the routine)

- Passwords are delivered separately from the data

- Data is never saved on the local machine - only on the server


Is there anything else that I could be doing? Keeping in mind that I am not the head of IT - I don't make the decisions regarding methods, equipment, software, etc.


Is there an existing resource for these kinds of questions? I have googled this question many times in many ways, yet have not found an answer. Does that mean there isn't one?


Thank you for your attention to my questions!
 

Luke M

Excel Ninja
Hi Vicki, thanks for dropping by!


First, an article I'd recommend is here:

http://spreadsheetpage.com/index.php/tip/spreadsheet_protection_faq1/


summary is, if the data is within the workbook, there's no way to get 100% protection against the data being found by someone who has enough time/effort. Not to brag, but I could get past any worksheet and/or VBA passwords in a workbook in less than 2 minutes, and could get past a workbook open password within 10.


Now that we got that out there, why do we use security? Well, we should be using it to either protect structure from "accidents" or to prevent the normal user from seeing something they shouldn't. For the sensitivity of the data you have and the fact that they are regulated by laws, I think you need a stronger method.


So how do we protect the data? Separate it. Now, as you have permission/authority to see all the data, there's not an issue there, but for the data that you are sending out to other people, best practice would be to copy the data from the master workbook and put it in a new, separate workbook. That way there is no way for the recipient to gain access to info they shouldn't.


an analogy:

The practices you mentioned that are already in place are still good to have, and I would keep them. It's the equivalent of having all the records stored in a locked room w/ only a few people having access. If you're sending the file out to people who should only have limited access, that's the equivalent of letting someone into the room and telling them to only look at 1 drawer. They might (and should) do what you said, but there is the chance that they won't. The better method in this analogy would be if you went to the locked room, pulled out the specific file, and gave that to the person.

Hope that gives some insight! Feel free to post back with further questions and ideas.
 

bobhc

Excel Ninja
Good day Vicki


Security in Excel is about as strong as a French weight lifting team it does not exist and what ever security you put in can be removed. In some cases just copying a work sheet and pasting into a new workbook will do it!!.............but you seem to be taking some good steps in what you do, a lot depends on the people who receive the data and their honesty, there is a whole mountain of software on the web to remove any and all security setting in Excel.

I do some ting very similar to what you are doing, the only extra is that recipients are well aware that if they open a new workbook while viewing data they are removed from the list and if that impinges on their work career, tough, this warning is by email along with the workbook so all concerned are all ways aware.


Sorry for repeating your advice Luke M, you must have nimble fingers:)
 

Vicki

New Member
Hi Luke, bobhc,


Thanks for your replies - I appreciate them! (And chuckled at yours, bobhc!)


It appears I am doing all that I have the control to do - which removes thismuch of my worries - thank you so much!


I may not have been completely clear - I am doing just as you say, Luke, and slicing out only the records that are appropriate and sending them in separate workbooks. My process actually creates over 200 temp files, emails them, and then destroys the temp files.


So, in your analogy, I am storing my data in a vault (network server), pulling only one group's data, putting it in a locked room, and giving the user the key to the locked room to review it. However, at this point in time, I have no way to 'frisk' them to be sure they don't take anything with them!
 

SirJB7

Excel Rōnin
Hi, Vicki!


Sorry for arriving at dessert time but I think that even if you're doing all what you're able to do, the main risk (apart from a perfect French example coming from an Englishman) resides on who is the user that you give the key for the locked room.


And no matters here if could make a copy (either at a specialized store or with an ordinary soap), but matters which skill and intentions he might have. Despite of your care for building a cellular schema for spreading data, if the guy with access to the key of the locked room wants to go beyond what he's authorized and if he gained access -even if read only- to your workbook... well, I'd suggest you to give a look to the following links to know your potential exposure. Don't be afraid, it's just Excel, and it's designed to avoid Frenchmen win even bronze at weight lifting events.


http://chandoo.org/forums/topic/user-form-via-qat#post-28628

http://chandoo.org/forums/topic/user-form-via-qat#post-28748

http://chandoo.org/forums/topic/cell-protection-in-excel#post-22763

http://chandoo.org/forums/topic/cell-protection-in-excel#post-22788

... and the list might continue...


Regards!
 
Top