Computerworld - Some employees are held to a higher standard of behavior than most. Anyone in a position with broad powers or influence falls into this group, including accountants, managers, systems administrators -- and information security professionals.
Like systems administrators, information security professionals generally have access to a great deal of data and information. Even if they don't have direct access, they generally know how to obtain it by exploiting a weakness (like hackers, but with the opposite intent) or by simply giving themselves elevated privileges.
In our small shop, the systems administrators, help desk workers and security people all have a great deal of access. This past week, some issues arose that caused me to go back to some best practices regarding access. One is called separation of duties, and the other is called the principle of least privilege.
Raising the Bar
It all started when a co-worker told me he suspected that one of my staffers was snooping around on employee computers. Over the past year, I had heard similar complaints from various managers, but the staffers who had been
the cause of those earlier concerns are no longer employed here, and I thought that it was a dead issue.
However, I had failed to change processes so that such an issue couldn't arise again, and if you set low standards, some people who don't personally have high standards will drop down to the lowest common denominator. It was time to raise the standards and change some processes so that the potential for abuse would be minimized.
While much attention in the world of information security is given to technology, the most overlooked security risk is the level of access that systems and security people have on the network.
In the IT world, you have to have
gurus running around who can not only fix a network problem, but also troubleshoot issues that crop up with operating systems, databases or the application layer. The gurus have godlike status on the network, and that status demands integrity on their part. You have to be able to trust the people you open your network to. Once trust is lost, it's game over.
An audit trail is one way of finding out when trust is lost. There should also be an acceptable-use policy for systems administrators that's published and enforced. Violations of the policy should be punishable by termination.
With a small team, addressing separation of duties is a challenge. The purpose of separation of duties is to make sure that no single
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
