Every IT department relies on technologies such as intrusion prevention systems and firewalls to protect their network and data from attack. However, the first, most important step in defining a security strategy is making sure only the right people have access to your systems, even within your organization. It's not a pretty thought, but the biggest threat to your business remains your own people, and extends beyond typical end users to your IT support and admin staff.
The Data Security Policy Template, from our partners at Toolkit Cafe, lays out 12 key points for managing access to your systems and data. The template is available free to IT Business Edge users here in the IT Downloads library.
Some of the template's admonitions are simply declarations of standard practices-don't share your password, and the like. Others may seem a little overhead-heavy for your management culture, and of course you customize the template to meet your specific needs. But before relaxing the standards laid out in the policy, consider the consequences if folks get access to files or databases that they simply should not have.
Some key tenets of the sample policy include:
Generic user-IDs based on job function are prohibited. Many shops assign a common login to an asset and then simply share that with a group. For a million reasons, that's a bad idea-you lose the ability to track individual's behaviors and run a heightened risk of that ID slipping outside the intended group. Group user IDs may be applicable in some instances, such as with a contractor, but they can be set up only with a high-level clearance.
Restriction of special system privileges. Not only should the ability to read and write to other people's data be limited to system admins, those admins should undergo specific training, not only in the tech but also on policy that defines appropriate use of that authority.
Privileges for remote administration of Internet-connected computers in the demilitarized zone (DMZ) must be restricted. Any sort of remote administration should be conducted over encrypted links, such as a VPN.
Access privileges associated with a user account (ID) may be disabled if the user goes on vacation or goes on leave for an extended period. This may seem a bit heavy-handed, particularly in today's always-connected business culture. But if you have a staffer who you know is not going to access the system for a couple weeks, consider shutting down the account until she or he returns. No reason to leave an attack point open if you don't need to.
Information must be classified. Again, this may seem like a lot of overhead, but business managers need to let IT know the general sensitivity of different types of data so that IT can put appropriate safeguards in place. This includes details about the job responsibilities of users and why they need access to certain systems.