Procedural and People Security Controls
Organizational Security Culture
A positive security culture must be part of the overall organizational culture and be directed from the top of the organization. IA expectations should be established in contracts of employment which covers definitions of:
-
acceptable standards of conduct which may cover behaviours related to risks (this should be supported by a Code of Conduct expressing the ethics and standards of the organization)
-
ownership of intellectual property
-
acceptable use of assets (this should be supported by an Acceptable Use policy serving as an adjunct to the employment contract which clearly defines levels of infringement and disciplinary steps)
-
the disciplinary process and grounds for disciplinary proceedings
-
conformity to organization requirements (to protect against vicarious liability)
-
duty of care to the organization and staff
-
confidentiality requirements
-
privacy responsibilities
-
responsibilities concerning personally identifiable information (PII)
Security training
Users must be supported with appropriate recorded training in processes and assurance awareness: social engineering is one of the most important areas of security. Appropriate security training will ensure users understand their assurance responsibilities, risks to assets, and potential impacts to assets arising from realization of those risks. It will also ensure an awareness of acceptable use policies. Any security training programme must be regarded as a formal project subject to review and measurement.
Security training either focuses on raising general awareness of IS or addressing specific issues. General awareness training aims to influence behaviour and perception of risk. Specific training aims to achieve competence in a given area. Awareness and training must be part of a continuous process of reducing risk by developing positive security culture. When developing training, consider the audience in respect to:
-
scheduling: how to effectively schedule delivery
-
content: what do they need to know
-
motivation: why do they need to know
-
current understanding: what is their current understanding
-
engagement: how to maintain engagement (language should be tailored and impacts made relatable)
-
impact: what should they think/do after training
Segregation of duties and avoiding dependence
Segregation of duties should be applied for roles where there could be a conflict of interest and has two functions:
-
limit the scope of system misuse
-
limit dependence
Typically this is achieved by preventing a single user from assuming multiple roles where the duties of those roles conflict. Dependence impact can also be reduced by effective documentation, succession planning, and knowledge sharing.
User Access Controls
Many other controls are based-upon user access controls which themselves rely upon the related processes of identification and authentication (ID&A). User access controls generally limit access through the perimeter of information systems to authorised users. Access should follow the ’need to know’ principle and users should only be granted the minimum level of privilege necessary to perform their assigned roles. The standard approach to extending user access controls to data is to establish three levels of privilege:
-
designated owner (full access)
-
members of the same group as the owner (limited access)
-
others (minimal/no access as appropriate)
There are further levels of access granularity (in terms of action):
-
no access
-
read
-
write
-
execute (this implies full access)
Administration of access controls
The roles of the system administrator and the standard user must not be combined and the actions of administrators must be regularly independently audited. The role of the system administrator includes:
-
enrolling legitimate users
-
removing users: Users leaving the organization should have their accounts deleted on the day of effect and all rights removed. Ownership of any data assets must be transferred to another user. Existing roles should be audited regularly.
-
modifying user access rights: This may also involve the transfer of asset ownership. There should also be an established process for a user to apply for strictly temporary additional privileges for prearranged periods.
Access points
Any location (logical or physical) from which the internal systems can be accessed constitutes an access point. These may be:
-
direct
-
wireless
-
remote
The two main IS issues associated with giving access:
-
ensure a successful completion of ID&A
-
protect the data both for the ID&A and the session