Security of the Blue Prism implementation is a key part of the operating model. Every automation program should be governed by a security policy, complemented by appropriate procedures that have been agreed by all relevant parties. Access to target systems will already have security control built around them. The security policy which will govern the Blue Prism application, its database and access to the customer’s target systems will allow Blue Prism to be operated in a secure and controlled environment.
Key Considerations When Defining a Security Policy:
Defining the Blue Prism Access Model
Blue Prism supports two methods of authentication, namely ‘Blue Prism user authentication’ and ‘Active Directory authentication’ (or ‘single sign on’). The type of authentication to be used is set when the database is created and cannot be changed on existing databases. Integral to this is the definition and setup of the user privileges across each of the Blue Prism environments.
Defining the Blue Prism Access Support Procedures
Procedures should be in place to define how a Blue Prism user is added, amended or removed. Consideration should also be given to the expiry term of new Blue Prism accounts and, where Blue Prism user authentication is being used, the expiry term of the password along with any other password rules (e.g. minimum length, compulsory characters etc...
Defining the Target System Access Model
Blue Prism accesses target systems much as a human user would and as such requires its own user names and passwords. Therefore consideration should be given to the following:
- What ‘user id’s’ will the digital workers use for each application?
- How many digital worker ‘user id’s’ are required for each application?
- How will passwords be created, stored and managed for each application?
- Which areas of the network will digital workers have access to?
Defining the Target System Access Support Procedures
Once the Target System Access Model has been defined, the support of this model needs to be defined. Consideration should be given to the following:
- Who will be responsible for creating, amending or deleting digital worker accounts?
- How will the IT Helpdesk manage digital worker account queries?
Windows Access Model
These sections refers to how the Resource PCs will log on to Windows and access the LAN.
- What credentials will be used?
- What privileges will be assigned?
- Will Login Agent be used?
- When and how will the passwords be changed?
- What Resources will the access credentials be granted access?
- What will the credential management policy be if Blue Prism’s Login Agent is used?
Windows Access Support
The creation and modifying of Windows credentials will need to be carefully governed and in the event of lock out, expiry etc. a procedure will need to be in place to quickly re-enable access
Environment Access Model
This section of the security policy relates to the security of the Blue Prism environments, ensuring that the environments in which the Blue Prism solution and the systems it accesses runs in are secure. Consideration should be given to the following:
- Who will have access to the Blue Prism databases and servers in each environment?
- Who will have access to the Resource PC’s in each environment?
- How will this be audited?
Find out more - Access Controls
Environment Access Support Procedures
Once the Environment Access Model has been defined, the support of this model needs to be defined. Consideration should be given to the following:
- What are the procedures to be followed when supporting the Blue Prism Servers, Database and Resource PC’s?
- Who will be responsible for creating, amending or deleting environment access permissions?
Defining Data Policies
Blue Prism has the ability to store data in work queues and logs. Consideration should be given to:
- Policies regarding data held in Blue Prism work queues and logs, including data retention policies
- Ensuring the security policy respects the organisation's own information security policy, industry specific data standards as well as adhering to
- The Data Protection Act (1998)
- The Data Protection (Processing of Sensitive Personal Data) Order 2000
- The Computer Misuse Act (1990)
Blue Prism’s Success Accelerator program combines various levels of mentorship and access to our Expert Services, Technology Ecosystem and Certified Partners based on the size and maturity of your digital workforce operations.