|
Access Control
Access controls are key to contractor security. Third-party access to critical systems and data must be limited to the minimum required to perform the assigned job. This concept of "least privileges" is central to limiting the contractor's view, thereby controlling the risk of unauthorized information access.
However, unstructured information, such as data in email, is notoriously harder to protect because of the lack of traditional database access controls and the ease with which information can be forwarded to others within and outside of the organization. Consequently, access controls should also be viewed from an information perspective, not just a system perspective. This means not just controlling access to systems, but restricting access to specific data sets. For example, don't give a contractor access to the credit system but rather allow access to specific accounts he will service.
This need for controlling information access may be especially true when it comes to application development, according to Dan Kennedy, vice president of information security for Pershing LLC, a subsidiary of The Bank of New York. "The big concern in development is using offshore contractors. ...By the nature of the job, they will have a lot of access," he says.
Some organizations don't give contract developers access to production data, yet the data in the test or development systems is none other than a complete copy of the production data.
"It's very common for some [organizations] to copy production data to create test data," says Tony Meholic, vice president of security and business continuity officer for BSC Services. "If you are going to use contractors, you need to develop some test data. You can copy the production data and then modify the personal customer information so that it cannot be used for anything other than testing."
In addition to limiting access, organizations should establish user accounts for contractors that automatically expire at short intervals, forcing the hiring manager to reapply for the contractor's access rights.
Recertification of all access privileges is a technique to force systems administrators to remove privileges no longer needed. Contractors in large organizations frequently rotate to different departments once assignments are completed, but often retain the same level of system access, says Bayer's van de Gohm.
"Forcing hiring managers to reapply for access is a control that ensures long-term contractors that move from manager to manager are periodically re-evaluated," and only have access to the information they need for their current role, he says.
|
