When considering IT security, organizations should take a look at the websites for the National Institute of Standards and Technology, the Defense Information System Agency’s Security Technical Implementation Guides or the Center for Internet Security. There, they may find that understanding and translating their security recommendations to implementable practices can be overwhelming. While this is a worthwhile and important task, there are also more practical ways to ensure you are using IT security best practices in your business.
Separation of Duties
Make sure to separate duties within your IT organization. While this is a routine practice in finance, it is often overlooked in IT security. For example, make sure there is a designated person or team to verify system security settings for operating resource settings, such as file ownership, permissions and registry settings. This team should be able to obtain ad hoc reports of the system settings that need to be checked but should not have access to the servers on which the verification is being performed.
This provides a higher measure of IT security than simply trusting the server support teams to properly configure and enforce the appropriate settings. All deviations found by the security verification team should be documented and immediately corrected. Even more ideal is to have a separate team configure an endpoint management tool to immediately detect and remediate out-of-compliance conditions.
Least Privilege for Primary Controls
Apply the concept of least privilege to your primary controls. This means making sure the level of access to systems, tools and data in your IT environment is sufficient to enable all employees to perform their work — but no more than necessary. List and create profiles for each job category within your organization, then specify in detail the level of access needed in order to perform that job. Create detailed procedures with the level of access that must be granted to an employee in each profile. Be especially careful with the level of read/write access allowed.
For example, if you have a team that develops marketing materials, ensure it only has access to systems, applications and content containing information needed for this purpose. If some members of that team are responsible for publishing the materials, they may be allowed to have access to different systems and separate file and directory structures, or the type of access they are given may be write versus read. That way, there is accountability only with the publishing team for any changes made to these systems. This seems like an obvious practice, but many companies fail to thoroughly document profiles and associated work instructions. The next step is to automate ID creation using these profiles, which can further ensure correct access has been granted.
Secondary Controls for IT Security
Implement a secondary controls solution to supplement primary controls. When primary controls fail — and they will — secondary controls are essential. These are often overlooked due to cost and staffing pressures, which are almost always considered as overhead. Secondary controls activities should be executed on a regular schedule by employees who do not perform primary controls so they cannot be bypassed. Examples of secondary controls include verifying all user IDs are owned by active employees, verifying the correct level of system access and checking system and application logs for suspicious or unauthorized activities.
I hope this post has been helpful in providing some basic control points to focus on when securing your IT environment. Please tweet at me at @LisaChavez111 if you have comments or suggestions.