Security Management Strategies for the CIORequires Free Membership to View
, medium and low control appendixes. The Australian NSW
Baseline Controls and VISA PCI Data Security Standard are also well-written. In some
cases, baseline controls will be procedural versus technological (e.g. storing
sensitive documents under lock and key and using a cross-cut shredder to dispose
of them). Insiders are familiar with internal controls and may find a way around
a single or poorly implemented control. Pay particular attention to the control
categories that follow.
Human Resources
Human resources personnel
should follow well-defined in-processing and out-processing procedures. Conduct
criminal background investigations, credit checks and employment verification
for all personnel, including contractors, temporary staffing and cleaning crews.
Periodically repeat background checks for people in highly-sensitive positions.
Require all personnel to sign a document stating they have read and understand
the information security policies. Ensure third party contractors and service
providers comply with your security requirements (e.g. employment and
background checks of new personnel). Establish an anonymous fraud, waste and
abuse reporting mechanism. Many crimes committed by insiders were suspected by
employees. Alert information security personnel when an employee is identified
as troubled or disgruntled.
Security Awareness Program
All personnel
must become familiar with security policies and procedures. Establish a
comprehensive awareness program to include annual security training with a
testing component, email tips, posters, a letter of support from senior
management, self-assessment surveys, awareness luncheons and a security Web
site. Better yet, supplement training with awareness briefings. Briefings give
personnel the opportunity to ask questions and put the information security team
in the position of advocating security initiatives.
Access Control
Accesses should be issued
based upon a person's need-to-know in routine performance of their duties. When
possible, issue accesses based upon role. Take into consideration IT roles such
as developers, system and application administrators, etc. Define roles within
accounting and payroll. All access requests should be formally documented and
approved by a direct supervisor. For access to sensitive systems, require
approval of a data owner as well. Two-person integrity controls should be
implemented to secure extremely sensitive information (e.g. trade secrets).
Configure building access cards to restrict personnel to the areas and time
periods required in performance of their duties. Each quarter ask managers to
formally sign-off on the privileges of their direct reports. As employees
transition to new positions, they may retain accesses from their previous role.
Separation of duties should be used as an additional control.
Here are a few examples: Separate roles should be required to create an account
and write a check. Developers should not have access to production systems. Code
reviews should be performed by someone other than the author of the code.
Administrators should not be the only group reviewing logs. For more
information, see the ISACA separation of duties matrix.
Establish
applications that provide a view into sensitive data versus the ability to
download the entire database. Use terminal servers to provide remote access to
data and systems while preventing file downloads (e.g. when developing
software).
Administrators
Administrators have complete
control over systems and applications. Prohibit use of default administrative
accounts to facilitate accountability. Ensure Windows domain administrators use
unique accounts tied to their name and the default administrator account is
deleted from servers during the installation process. Configure Unix and Linux
systems to force administrators to login as themselves, then use the switch
users (su) command to access root-level administrative privileges. Application
administrators and operations personnel may need access to a few root-level
commands in performance of their duties. Use software to delegate specific root
privileges to them (e.g. sudo, RBAC, RSBAC or Power Broker). Encrypt databases
to prevent system administrators and anyone with access to a backup tape from
viewing sensitive information.
Workstations
Laptops can store large
amounts of sensitive information and are frequent targets of thieves. Issue
laptops based upon business need and with consideration of the type of
information typically processed. The U.S. government has recently mandated
laptop encryption and two-factor authentication. It makes sense to follow their
lead. Configure bios passwords as an additional control.
Restrict
workstation administrative access to the desktop team. This privilege can be
used to install unlicensed software or circumvent security controls (e.g.
disable antivirus software or reverse system hardening configurations).
Exceptions should be limited to personnel with a well-defined need for
administrative privileges in performance of their duties, including formal
sign-off by their manager.
Finally, restrict who has access to use UBS
storage devices. They can be used to download sensitive data and may also act as
an avenue to introduce viruses into the network.
Network Security
Configure firewalls by
security best practices. Restrict outbound traffic to common services such as
HTTP and HTTPS. Use application proxies to limit traffic to designated protocols.
Establish separate rules to limit outbound file transfers to an authorized set of
users and systems. Restrict accesses between offices to specific systems, ports
and protocols. Use network segregation to restrict access to systems hosting
sensitive data based (e.g. DMZs, extranets and VLANs). Block peer-to-peer file
sharing services, instant messenger and services that allow unauthorized external
access to the corporate network (e.g. GoToMyPC, pcAnywhere and Citrix Online).
Block external email Web sites as well. All email should be conducted using company
systems. If an employee needs access to one of the above services, confirm the
business requirement and create a specific rule to meet their needs. Finally,
scan outgoing email for sensitive information such as project codenames. An SSL
scanner should also be used to scan encrypted traffic streams.
Social Engineering
Con artists may attempt
to extract information from authorized personnel or get them to take actions on
their behalf. There are three basic methods to address this threat: (1) raise
awareness of the techniques used by social engineers, (2) establish well-defined
processes to protect sensitive data and valuable assets, and (3) provide an
escalation path.
Backups
Conduct restore tests of critical
systems at least annually. Disgruntled employees have been known to sabotage or
blackmail companies by corrupting critical data and waiting for the change to
spread through off-site backup rotation. Take backups of workstations to provide
a record of employee activity. Encrypt backup tapes and e-vaulting data to keep
sensitive information confidential while off-site.
Audit Trails and Monitoring
So far we have
primarily addressed preventive controls. Detective controls are necessary
because authorized personnel need privileges to get their jobs done. That brings
us to audit trails and monitoring. Configure audit trails for each system
component (e.g. network devices, operating systems, commercial software and
custom applications). Learn the logging capabilities of each component and
configure it to record significant events. Log actions taken by any individual
with administrative privileges (e.g. execution of commands and access
to audit trails). Audit trails must be protected by file permissions and
synchronized in real-time to a central log server to prevent modification. Once
centralized, logs should be reviewed by automated processes with notification
sent to the appropriate personnel. Database administrators have access to
sensitive information, so they must be monitored as well. Use intrusion detection software to
identify suspicious activity. Implement file integrity software to monitor
configuration files and sensitive data.
INSIDER THREAT MANAGEMENT GUIDE
Introduction: Insider threat management
Data organization and impact analysis
Implementation of baseline control
Risk management audit
Risk management references
This was first published in August 2006
Join the conversationComment
Share
Comments
Results
Contribute to the conversation