April 17, 2015 By Lisa Chavez 2 min read

When considering IT security, organizations should take a look at the websites for the National Institute of Standards and Technology, the Defense Information System Agency’s Security Technical Implementation Guides or the Center for Internet Security. There, they may find that understanding and translating their security recommendations to implementable practices can be overwhelming. While this is a worthwhile and important task, there are also more practical ways to ensure you are using IT security best practices in your business.

Separation of Duties

Make sure to separate duties within your IT organization. While this is a routine practice in finance, it is often overlooked in IT security. For example, make sure there is a designated person or team to verify system security settings for operating resource settings, such as file ownership, permissions and registry settings. This team should be able to obtain ad hoc reports of the system settings that need to be checked but should not have access to the servers on which the verification is being performed.

This provides a higher measure of IT security than simply trusting the server support teams to properly configure and enforce the appropriate settings. All deviations found by the security verification team should be documented and immediately corrected. Even more ideal is to have a separate team configure an endpoint management tool to immediately detect and remediate out-of-compliance conditions.

Least Privilege for Primary Controls

Apply the concept of least privilege to your primary controls. This means making sure the level of access to systems, tools and data in your IT environment is sufficient to enable all employees to perform their work — but no more than necessary. List and create profiles for each job category within your organization, then specify in detail the level of access needed in order to perform that job. Create detailed procedures with the level of access that must be granted to an employee in each profile. Be especially careful with the level of read/write access allowed.

For example, if you have a team that develops marketing materials, ensure it only has access to systems, applications and content containing information needed for this purpose. If some members of that team are responsible for publishing the materials, they may be allowed to have access to different systems and separate file and directory structures, or the type of access they are given may be write versus read. That way, there is accountability only with the publishing team for any changes made to these systems. This seems like an obvious practice, but many companies fail to thoroughly document profiles and associated work instructions. The next step is to automate ID creation using these profiles, which can further ensure correct access has been granted.

Secondary Controls for IT Security

Implement a secondary controls solution to supplement primary controls. When primary controls fail — and they will — secondary controls are essential. These are often overlooked due to cost and staffing pressures, which are almost always considered as overhead. Secondary controls activities should be executed on a regular schedule by employees who do not perform primary controls so they cannot be bypassed. Examples of secondary controls include verifying all user IDs are owned by active employees, verifying the correct level of system access and checking system and application logs for suspicious or unauthorized activities.

I hope this post has been helpful in providing some basic control points to focus on when securing your IT environment. Please tweet at me at @LisaChavez111 if you have comments or suggestions.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today