Good password policy, control over critical and protected resources, proper account handlingÖ It is seen across multiple, seemingly unrelated compliance regulations. Thatís because regulators are trying to ensure simple, effective governance that can also be verified.
For many organizations, focus on a single regulation, sometimes even single requirements in a single regulation, might make it difficult to spot commonalities. As someone who talks to various customers around the world about complying with a variety of generic and specific regulations, I see a lot of the same basic requirements. They all seem to point to the same conclusion: get control of your organizationís environment with good governance.
A structured and controlled organization generally has a much easier time complying with requirements in regulations. The reverse is also true Ė if you have to comply with the requirements in a regulation, itís something that can easily lead you to better governance overall for your organization. Here are a few best practices derived from the most common requirements that help lead to good governance.
Controlling your accounts
People in companies and organizations tend to move around; nothing is static for too long. Many employees have different access rights for different roles and responsibilities over time, but itís rare to see organizations reviewing access control policies and permissions for users that move around. Well-maintained organizations provision people as they start at a company; many of them are even de-provisioning by removing all access that was assigned to an account.
Most have no problem asking for access to resources as they change jobs and roles Ė so thatís rarely a problem. Whatís missing is ensuring access rights to controlled resources are removed or adjusted as job titles and roles change. The proper approach here is to understand what should be controlled, as well as registering changes to access. At that point, you have a manual process that can help identify people who should be removed. Remember, your organizationís controlled resources should be in your control.
Strong passwords are good policy
One of the more common compliance requirements is to ensure that passwords are strong and protected. This usually includes things like age, length and complexity, which is often managed through Group Policy in a Microsoft Windows environment. Whatís not so obvious is a history of your organizationís password policy, as well as notation of any exceptions that you make.
Complex, difficult-to-guess passwords are really only a start, especially when there are self-service systems that allow you to reset the password by asking for answers to some common questions, many of which are often discoverable via Facebook, LinkedIn or other social media sources.
If your organization has a system to reset passwords via a self-service system, make sure you advise your users of the dangers of providing simple answers to these questions. One suggestion is respond to questions with answers that donít fit the question. Itís much harder for someone to socially engineer or guess an answer to a secret question if the answers donít make sense.