A recent article in "Bank Info Security" http://www.bankinfosecurity.com/fraudsters-target-bank-employees-a-5269?rf=2012-11-09-eb&elq=7cc1647406704dd7bc60a34c9d54e8b0&elqCampaignId=5063, tells of a breach disclosing hundreds of thousands of customer's records. Experian, the credit reporting group, revealed that the reason for the breach was due to lax security at a credit union's IT department. This has to be especially vexing to those customers who then had to monitor their credit and lose sleep at night about the potential impact to their finances, present and future.
In IT, there has to be a balance between effort required to do your job and reward for discouraging data loss. The balance depends upon the potential liability to the company for data loss.
While it's difficult to insure a breach will not occur, there are some basic fundamental safeguards an IT department can take that will create a layered security approach and deter a breach from having a payoff.
- Create, follow and periodically test adherence for policies and procedures that support an established risk appetite
- Separation of Duty
- Implement Least Privilege Principle
- Establish a reporting system for certain Privileged Account uses and insure review is performed on a regular basis
- Create multiple logins for system administrators with access to vulnerable environments
- Require management approval for privileged account creation
- Work with system vendors to establish granular permission requirements
- Where possible, limit the scope for system accounts
- Establish a reporting system for certain Privileged Account uses and insure review is performed on a regular basis
- Separation of Duty
- Beginning with development, consistently follow a documented and socialized SDLC (Software Development Lifecycle) – including using either masked data or non-customer data for testing environments
- Establish periodic security and risk training for IT employees
- Establish architectural guidelines with management sign-off on any system changes that modify security parameters
- Include a review by selected Security personnel
- Include a sign-off from business to insure they are aware of security changes to applications
- Include a review by selected Security personnel
- Use Role-Based Access Controls
- Limit data transmissions from end user subnets
- Secure all data transmissions containing customer data
- Limit and monitor physical access to sensitive systems
- Implement an Incident Response Team to insure consistent response in the event of a breach.
- Implement a strong problem management/resolution process. Although this is not specifically security-related, it supports a consistent business approach to issues.
For the most part, none of these are expensive requirements. They do require a mature process attitude but there are a lot of positive benefits that come from this attitude including improved system availability, less overtime for IT staff and most definitely an improved technology risk footprint.
These steps will compliment and support a rigorous risk attitude in an environment where data loss could be costly. At a minimum, they instill a disciplined approach to managing the IT environment. You never go wrong by emphasizing this type of approach in IT
No comments:
Post a Comment