Don’t Lose Control of Your Digital Assets
Any time an IT support professional is granted access to an organization’s electronic or intellectual property that can be adversely manipulated either deliberately or as a result of negligence, it behooves the relevant parties to have a thoroughly vetted data protection program in place. This means having both preventative measures and worst case scenario recovery procedures instituted as they are two sides of the same data security coin.
From a personal standpoint, governance should be established to ensure security policies are followed by all IT staff. Commonly referred to as GRC (Governance, Risk Management and Compliance), most internal IT departments or help desk outsourcing companies adhere to strict guidelines for routine support related tasks such as onboarding, terminations, physical access controls, logical access controls, and separation of duties and responsibilities among its various departments to ensure appropriate controls are in place to monitor and mitigate risks. Furthermore, all employees are generally required to sign non-disclosure/confidentiality agreements adhering to employer as well as any supported client’s terms and conditions. Especially for professionals who are continually exposed to healthcare information for patients, SOX compliance issues, new hires and terminations, and credit union data, training programs on how to handle the relevant data are a must.
Education, contractual compliance, authentication, and enforcement indeed address the human element of the data protection process from a proactive standpoint, but that’s only half the solution. The processes that are triggered after a security incident has been detected demand ever greater vigilance and urgent response, preferably prompted by automated alerts wherever possible as well as live 24 x 7 availability of the infrastructure services team. Even if your organization has never experienced a security incident, there is no excuse for going without a documented security incident process and response plan in place. In fact, most IT support organizations create and at least annually review a Security Incident Response Plan (SIR) to provide an organized, well-defined approach for responding to critical security incidents affecting electronic assets. The SIR often includes the documentation of responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to the protection of personal information.
Procedurally, once an incident is identified as security related, the VP of Technology or CTO then determines the type of the incident that has occurred and assesses its scope, damage, and impact in order to effectively address it. The incident is then logged including system events, actions taken, personnel involved and a snapshot of the compromised system is taken. Notifications and escalations to key security personnel are issued, containment undertaken and operation status updates conducted. The system errors are then eradicated via patches, antivirus tools, and malware file deletions until the impacted system is fully restored. Then the post-incident analysis is conducted to identify areas of exposure and security improvements identified and implemented.
Another key element of data security is to have regular segregation of duties and sensitive access control reviews performed. Access into the managed service provider’s operating environment from internal and external resources demands the implementation of defined authentication and authorization access controls that are commensurate with associated risk. Each access is logged and all end users, including technical support staff such as network administrators, developers, and help desk agents must be accurately identified in a manner appropriate for their role and responsibility. In other words, identity encourages accountability and makes possible a documented electronic paper trail of all actions. As such all systems must authenticate end user identity via username and password access control. The program would apply to automatic disabling of end-user accounts, termination of employment, data encryption controls, login failure lockout, and data storage restrictions. In addition, network administration duties are segregated by various server applications, databases, backup functions, web filters, and directory services such as Active Directory. Simply put, this separation of access and privileges at varying levels for varying roles enforces a checks and balances approach to data security. That way the keys to your kingdom do not reside with a single person and, combined with other proactive and reactive procedural measures, will contribute to greater control over your digital assets.