Easy to Implement Security Improvements

By | May 25, 2005

If your organization looks at security as a product that comes off the shelf, you will always need another product to help address security issues. As your organization makes each additional purchase to improve security, you will see a diminishing return on your investments.

At some point, buying security hardware and software will result in more complicated processes and less productivity for administrators. Fortunately, you can improve your security without multi-million dollar solutions. It is the small details that will truly raise the watermark for security in your organization and make future purchases more valuable. Security can be improved in any organization by improving processes and educating employees.

Making Employees Aware

The first item for improving your security is an employee security awareness program for all employees. These programs should require some level of access control with an audit database of who has taken the awareness program and when they last reviewed the material. During the presentation, it is important for the company to outline proper employee behavior.

Your security awareness program should also cover emergency situations and appropriate responses from an employee. Many employees do not report strangers loitering in offices nor do they challenge employees who do not display identification badges. They do not report them, because they either do not know who to call or they feel like it is not a big deal. Many companies implement an awareness program but fail to keep an audit trail. There must be ramifications for failing to review the security awareness material. A typical correction might be the loss of network privileges after a period of time.

Pushing Administration Further Out

The second item for improving your organization´s security is to streamline your administrative processes. There are many ways to add a person into a corporate directory to allow network access. Typically administrators must rely on an email or a phone call from a manager. Emails and phone calls are terrible devices for creating users because they are difficult to audit and easily manipulated. You should push this type of administration further out, and try not to centrally control general access or account creation activities. The person who best knows the type of access required to complete a job is a direct manager. The manager also knows when that person should be removed in the event the employee is terminated. It is easy to grant control to a manager and then centrally control the manager´s ability to add and remove users.

Using Testing as a Provisioning Tool

Auditing is built into directories and databases. Relying on phone calls or a process where trust is not measured creates opportunities for people to get the wrong access permissions. Once this takes place, it is also difficult to audit who or why access was given to an employee. Removing employee rights is just as important as creating them. If your organization follows these suggestions and creates a security awareness test with an audit control, you will have also created a control which is a very simple provisioning tool. If employees are required to review the awareness test year after year, any employee that has left the company will automatically get flagged because they can not complete the awareness exam. This should be a balance in case a manager does not remove permissions in a timely manner.

Balancing Audits and Controls

Most computers, networks, web servers, and applications have auditing capabilities, and laws such as HIPAA and Sarbanes-Oxley require auditing. However, many organizations treat logging in two ways.

# They fail to enable auditing at all.

# They enable it and never review the records.

Auditing is one of the simplest ways to gain information about a system but simplicity is a double-edged sword – it can also create large amounts of data very quickly. Never dismiss the importance of auditing. Balancing the settings to show information that is most critical is a huge step in increasing security awareness for your organization´s electronic assets. Once the system is actively recording, your next step is to review the information on a regular basis. The intervals for review vary based on the utilization and the criticality of the information. As this becomes a habit, it is easier for administrators to learn what systems are used more frequently and to judge which ones may be at higher risks. Audit trails help determine what happened in the event of a security breach, how extensive the breach was to your organization, and the length of the attack. The importance of auditing and the relatively inexpensive and easy way to implement this control makes it a cornerstone process in improving your security.

Empowering Your Employees

Finally, the most important step for improving your organization´s security is to make sure all of your employees know they are the most important piece. Although ramifications are important to have in place, it does not mean embarrassing an employee for an honest mistake. Security issues should be kept confidential between a manager and employee. If an employee has difficulty following security rules, train and educate them. If several employees are making the mistakes, then perhaps your process is not correct or it encourages mistakes. The process of improving security should not add extra stress to an employee. They should be able to make mistakes. The ever-improving security process should be able to appropriately handle company changes. The main issue is to make sure employees feel comfortable and willingly participate in the security process.

In conclusion, your employees, managers and simple day-to-day processes greatly affect your organization´s security. Attitudes and the working environment play a huge part in the employees´ participation in the security process. There is a slim margin of error when dealing with security and the simplest of tasks set up incorrectly can make employees believe management is giving them one more extra hassle to deal with. These four items, a security awareness program, decentralized user account creations, collecting and reviewing audit logs, and maintaining proper attitudes when dealing with security, are inexpensive to implement and their importance becomes larger as an organization wants to continue to improve its security posture. In addition, keeping employees involved in the process will enable management to see the security gaps and makes future buying decisions easier to justify.

Leave a Reply