• Choose a category
• All
• Classic-Fiction

Employee transfers are a normal occurrence within a company. If an employee transfers to a new job, the privileges and access they had in the old position may be inappropriate for the new position. Establishing new access rights allows the employee to continue working. If you forget to revoke the old privileges, this user may have access to more information than they need. Over time, this can result in a situation called privilege creep. The user may acquire administrative privileges to the system by accident.

Terminated employees pose a threat to information security. In some cases, a terminated employee may seek to gain access to customer lists, bank accounts, or other sensitive information. When employees leave the company, it’s imperative that their accounts be either disabled or deleted and that their access be turned off. You’d be amazed how often system administrators don’t know about personnel changes. Your user management policies should clearly outline who notifies the IT department about employee terminations as well as when and how the notification occurs.

Real World Scenario

Assemble and Examine Your Procedures

It’s surprising how many businesses think they have a policy in place when one can’t be produced when needed. See if you can answer these questions:

1. Does your company have administrative policies in place? What are they, and where can they be found? Are they easily accessed by, or provided to, new employees? Does each written policy offer some indication of who to contact if there is a question or a breach?

2. When were the software design requirements last checked and /or updated? Are they routinely given to vendors? Who is responsible for reviewing them?

3. When was the last time the disaster recovery plan was checked? Do all administrators know it? Is it in writing and accessible from a remote location should this site become inaccessible?

4. Are informational policies easy to locate? By whom?

5. Are security policies updated frequently? Are they updated with each software change? Do they incorporate the latest patches?

6. Are usage policies part of the employee handbook? Do users sign off that they have seen the policies and are aware of them? How do users receive updates to the policies and signal that they have them and understand them? How do they know when those updates exist?

7. Can the user management policies be located and adhered to in the event that a situation occurs while the chief administrator is at a conference? Is there an escalation procedure in writing indicating who should be notified and when?

Policies not only need to exist, they also must be readily available so they can be referenced by all relevant parties. If this can’t be said of the policies we’ve discussed, then their value is drastically diminished.

Understanding the Goals of Information Security

Like so many things, the goals of information security are straightforward. They create the framework that is used for developing and maintaining a security plan. They’re remarkably easy to express but extremely hard to carry out. These goals are as follows:

Prevention Prevention refers to preventing computer or information violations from occurring; it is much easier to deal with violations before they occur than after. Security breaches are also referred to as incidents. When an incident occurs, it may be the result of a breakdown in security procedures.

Incidents come in all shapes and sizes. Simple incidents include things such as losing a password or leaving a terminal logged on overnight. They can also be quite complex and result in the involvement of local or federal law enforcement personnel. If a group of hackers were to attack and deface your website, you would consider this a major incident. Ideally, your security procedures and policies would make you invulnerable to an attack; unfortunately, this isn’t usually the case. The better your prevention policies, however, the lower the likelihood of a successful attack occurring.

Detection