The myhrtoolkit Security Centre allows controllers oversight of password and network management. It is accessed from either an orange Security Centre link at the top of the screen or via Setup & Admin > Security Centre.
Items in the Security Centre
- Overall Security Score
The 'Overall Security Score' is a measure of the security of your Toolkit. It is based on options relating to your Toolkit password preferences (as set in the Password Builder), the strength of users' passwords, and other measures listed.
It should be borne in mind that not all options are appropriate for all organisations. For instance, the Security Score allows 20 points for restricting IP Addresses; however, if your organisation does not require the use of the IP restrictions, the overall score will never pass above 80 and should not necessarily be understood as a lack of security.
- Manage Users
The 'Manage Users' module gives an overview of the users in the Toolkit, including measure of their password strength, and options regarding the security of their account.
The following options are available via the 'Action' button:
- Reset Password
- Reset Security Question (will only be visible if Enhanced Security is enabled)
- Password Strength
The 'Password Strength' module gives a clear overview of the strengths of users' passwords, and how many fall below a standard of "good". There is an option to force all users with weak passwords to change their password. This will enforce any new password strength options that have been set. Enforcing a password strength can only be done once per week.
- Password Builder
The 'Password Builder' module sets a minimum standard of users' passwords. When alterations are made, a 'Save' button will appear. When pressed, the 'Overall Security Score' will update itself to reflect the new settings.
Making changes here will not affect current passwords, only passwords for new users, or when current passwords are changed.
Note: An article about password strengths can be found here.
- Security Questions
This module allows an additional level of security to be applied. An overview of this functionality is available in the myhrtoolkit support pages, here.
- Allowed IP Addresses
Sometimes it can be useful for an organisation to limit access to specific IP addresses, e.g. the office. The myhrtoolkit system fully supports this, and it can easily be controlled from this module.
- Security Audit Log
The 'Security Audit Log' module lists security changes that have happened over a six month windows in the Toolkit. It tracks the following changes:
- User password change
- User changing the security question
- An admin reset of a user password
- Changes to password strength in Password Builder
- Enable/Disabling of the Security Questions
- Allowed IP Addresses - Both addition and removal
- Clicking the 'Enforcing Password Strengths' button
Note: With changes to passwords and security questions, only that the event happened is records, not the actual password or security answer!
- Secure Login Throttle Log
When a Toolkit senses that an account is being targeted in a brute force password attack, the login function will be throttled, cutting down how often a login request will be processed for that account. The 'Secure Login Throttle Log' shows when this has happened, and can highlight to a Controller that they have either been subject to an attack, or that the user is struggling to remember their password and may need help.