Best protection practices
Best protection practices
Some examples we can find almost everywhere on protecting the information are:
Lets start from the first one SOD, almost everyone knows if you split the duties to different personnel than it is easy to apply any security measures and you can even know if something is not like it should where to go to get explanations. If Bob have responsibility for the financial part of the company and Ted for the marketing, you know that Bob has to response in case the finance is not right. This is easy to explain but, in these days, it is a little more complicated to solve in real scenarios. For example, Bob to be flexible gives Ted an account to be used for all marketing purchases this way for any expense with this id Bob can always be sure Ted is responsible, now this is ok. But when Ted empties the account before the end of year something needs to be revised. So, you ask Bob what is going on, and Bob asks Ted who explained the marketing campaign he organized costed more than planned. Here starts the issue Ted now need more funds but Bob have not plan in regards. Who is responsible here?
As you can see only by making sure the SOD is enforced from the start you can tell Bob has the responsibility of finance so even because he is allowed to share some of his reasonability with Ted he still is the ultimate responsible for the financial situation. In Information Security we use the word owner. Bob is the owner of finance, same goes with Ted for marketing.
Mandatory Vacations – this looks like something for Human Resources or not?! Well this is really a security best practice and the only way to find if someone of your team is playing dirty. So it goes like this, in case an employee don’t goes never for vacations this is a red flag. Meaning something is not right with him, and in a lot of situations the explanations is he is doing something illegal (like fraud, abusing with the position etc.). A good practice is to make the vacations mandatory for any employee, this way when the employee is in vacation the substitute can find out in case something is wrong and report it.
Job rotation – this is a little tricky and not always possible because of the area of expertise each of us have. It is a good practice in case of managerial positions. It helps because when applied it makes difficult for someone to abuse with the position, and it gives us the feedback in case we have an issue with our senior managers.
Least privileges- well lower the possibilities lower the risk of impact in case something goes wrong. We use this practice almost in any system with each group of user’s rights.
Need to know – Easy to say difficult to implement because people tend always to talk with each other. Combined with SOD it is a great practice making more robust the protection of information.
Dual Control – it means everyone have a control this way to make a job you need both the persons you appointed or else it can’t be completed.
4 eye principles – This control is one we use a lot, meaning no you do not have to have glasses to double check something but there are 2 persons to apply something. Meaning I write something but before being able to publish someone else must check I did everything right and approve the change.