Keep an eye on your administrators. The people with the most opportunity to misuse or incorrectly share private data are the people with the most access. Compliance regulations usually require organizations to keep track of administrator activity – especially WHO is an administrator. While it’s likely apparent to most people, keeping a log of administrator activity is key to maintaining a secure environment that complies with external regulations.
One item that tends to get overlooked is service accounts or highly privileged accounts that run applications or services. These accounts have the basic administrative access, plus the added benefit of appearing invisible to most inexperienced or naïve organizations. There are methods that can ensure service accounts are not being used for unintended purposes, alerting you when someone uses one of these highly privileged accounts for a purpose other than the one they are intended.
Assess, access and alert
In today’s world, data sets are so large and complex that it is hard to regulate who has access. When it comes to regulations and avoiding unintentional sharing of private data, you have to set the baseline and record the current access and permissions. To get a handle on your organization’s controlled resources, record where your organization is TODAY! If you don’t understand who has access to resources you are missing a key piece of information; consider asking people to help you justify who has access and eliminate those who do not belong. Once you get control of access to these critical resources, you should set up alerts when that access changes, so you know what’s going on, and can address any mistakes or maleficence at a moment’s notice.
Make it a policy to communicate
There are many good reasons to document and communicate what your organization is doing and how you are maintaining control of its environment. First, everyone in your organization will know that you’re secure and any suspicious activity is being tracked. Second, it is easier to train additional people should the need arise.
Next it makes updating your organization’s environment much easier when there is clear policy and processes in place. Finally, your superiors know you’re doing everything that needs to be done to ensure your organization is safe, secure and compliant with external regulations.
These are only a few best practices among many regulations that place controls over IT in an effort to be as secure and protected as possible. It would be easy for organizations to review compliance regulations and understand where the intention is to codify good policy and protect users and information. And while I’ve viewed this from the regulatory requirement angle, you could easily reverse and say, “Our good security policies make it easier to comply with many external regulations.” It’s up to you to get in control and stay in control of your environment from both a policy and a regulatory standpoint. If there was an Amazon.com item for regulatory compliance it might say, “If you like good policy, you might also enjoy a much better (and more secure) IT environment.”
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.