Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Policies without supporting technology are futile

CyberArk Software : 04 November, 2008  (Special Report)
Calum MacLeod of Cyber-Ark reinforces the importance of installing information security technologies to support policies and standards
As someone that has become totally engrossed in the upcoming US elections, Barack Obama's comment about Lipstick on a Pig resonated because in my opinion it just about sums up the approach to IT security in most enterprises today. You have SOX, PCI, Basel, ISO or whatever other policy you can think of and as long as you carry on doing things in the same old way you might as well put "lipstick on a pig".

Over the past year after countless incidents of sensitive data loss or misplacement, and small fortunes being spent to investigate the how and the why, incidents continue, and in my opinion this is primarily due to the failure of organisations to implement the necessary technologies to ensure the policies are enforced.

It is, therefore, absolutely essential that adequate controls are put in place to ensure that highly sensitive data is protected from abuse. There are best practice solutions, as well as commercial solutions, that can guarantee no matter how resourceful or determined someone may be, the risk can be minimized and the opportunity to abuse sensitive data can be technically eliminated. The following list can serve as a useful guideline for accomplishing this.

By creating a secure repository, sensitive data can be stored in a manner that provides the data owner, whether that is an individual or an application, and the organization complete control over who has access. Your organization can immediately eliminate the risk of unauthorized users gaining access from inside or outside the network. This also ensures that IT staff are no longer able to access the data even although they may be responsible for managing the system that stores the data.

Effective but manageable encryption methods that do not require IT involvement intervention removes the risk of keys being exposed to systems staff. Relying on encryption methods that are complex to use and manage only increases the vulnerability.

Backing up sensitive and critical data is crucial, but it can be abused. Every precaution should be taken when selecting backup/restore solutions that they are able to backup the data in its encrypted format. Too often data is backed up in unencrypted format and is then open to abuse and theft

There must be segregation between IT staff and data owners. Additionally, there should be hierarchies within data ownership, such as dual-control which can enforce checks and balances to ensure that highly sensitive data cannot be accessed unless authorization has been given. If possible the access to, and responsibility for, data should be devolved to the relevant departments, minimizing the number of prying eyes. For example there is no reason why anyone outside of HR should have access to HR data.

By having automatic reporting of user activity, anytime anyone who is authorized accesses a sensitive file, the management should be able to have an immediate report of this activity. By having this at departmental level ensures that management can identify potential inappropriate behaviour at an early stage since they are aware of the sensitive data under their control, and can thus identify misuse at an early stage.

Ultimately it is impossible to eliminate the abuse of sensitive data by people who are determined to misuse their position but at the very least every organization today can easily and relatively cheaply implement technology ensure that their procedures is not just " an old fish in a piece of paper".
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo