Technical Controls
How Administrative, Technical, and Physical Controls Could Introduce a False Sense of Security
These could introduce a false sense of security in that people become complacent just because these controls have been put in place. For example, organizations may fail to regularly review, update, or upgrade these policies such that pretty soon the information security tools put n place already become obsolete. Everyday, it seems that new technological developments come out. However, these technologies include advanced tools that hackers can use to infiltrate corporate systems. As such, by not keeping these administrative controls updated, they can easily be exposed to these vulnerabilities again.
In addition, the principle of least privilege is another policy that can introduce a false sense of security. The principle of least privilege ensures that access is limited to the minimal level that would allow normal functioning, that is, giving employees the lowest level of user rights that would still enable them to perform their jobs (“Principle of Least Privilege,” 2012). However, just because this policy is in place doesn’t mean that the system is completely secure. For example, when an employee is transferred to a new role, it is often the case that their new user rights are just added to their old user rights. However, their access rights from their previous role may no longer be required or appropriate in their new role; thus, causing some security issues.
Consequences of not Having Verification Practices
Not having verification practices such as the verification of user identification through the use of passwords can lead to unauthorized people accessing the company’s system (Auditor-General South Africa, 2010). Even if a user is identified as being a member of the organization, if there is no verification process for determining the user’s access permissions then the unauthorized use of systems can still result. For example, the HR system, which contains all the employee and salary information, should be accessible only to, say, the HR and Finance management teams. In this case, there should be a verification process that ensures that the user trying to access the HR system is a member of the organization and of the HR or Finance management teams. Without this verification process, confidential information, such as salary information, can easily fall into the wrong hands.
Even before administrative controls are officially implemented throughout the organization, verification procedures in the form of testing should be performed especially on the technical controls that are put in place. This is necessary to ensure the effectiveness of the controls, that they do work and that they cannot be easily broken down. As well, once the administrative controls are put in place and are being implemented, verification procedures should again be conducted in the form of audits in order to ensure that the controls are effective and that members of the organization comply with the established policies.
What a Firm can Do to Bolster Confidence in Their Defense-in-Depth Strategy
One thing they can do to strengthen their defense-in-depth strategy is for them to “authenticate and authorize all network users” (Snyder, n.d., p. 2). This means that a user must be authenticated at the port level even before they are “assigned a network address” (Snyder, n.d., p. 2). Next, the user’s authorization level must be determined. This determines what they are allowed to do and where they are allowed to go within the system. When determining the privileges of a user, Snyder (n.d.) suggests that the following be considered: authentication method; time of day; user’s location; machine’s security level; and machine identity.
Another strategy that they can implement is to use virtual LANs (VLANs) for coarse-grained security and traffic separation (Snyder, n.d.). In particular, the successful implementation of security VLANs is achieved through the dynamic assignment of traffic to a VLAN based on the user’s identification. This ensures that the network remains secure and is able to support the quickly moving and changing user populations of an organization.
A third strategy is for firewall technology to be used for fine-grained security (Snyder, n.d.). This is the real solution to ensuring the network’s security. In particular, implementing the firewall at the port level will be most effective. This doesn’t have to be expensive either as economical solutions such as the 802.1x standard can be used. However, more important than having these technical controls in place would be establishing the security policies, which must be resource-based and role-based. These in turn define what resource can be accessed and who can access the resource. In addition, these policies can be based on the day, time, and location of access.
How These Activities Relate to "Best Practices" and How They can be used to Demonstrate Regulatory Compliance
The process of establishing policies for authenticating and authorizing users relate to the best practice of having End User Acceptable Use Guidelines (Putvinski, 2009), which indicates that the policy should provide clear information about what employees can do with company resources, as well as information on the negative effects of using such resources for personal use.
Similarly, these relate to best practices on Password Requirements and Guidelines (Putivinski, 2009) where it would be necessary for the company to have a strong password policy, but not one that will greatly inconvenience the employees such that they would write down their passwords, in turn becoming another source of security weakness.
These activities also demonstrate regulatory compliance in that they ensure the privacy and confidentiality of information in that only authorized people in authorized places can access such information. These activities also ensure that the company’s management team is responsible for the company’s policies and that these policies are well documented.
References
Auditor-General South Africa. (2010, Match) Good practice guide: User account management.
Retrieved from http://www.agsa.co.za/Portals/1/
Audit%20guidelines/ISA%20good%20practice%20march%202010F.PDF
Principle of Least Privilege (POLP). (2012). Retrieved from
http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP
Putvinski, M. (2009, June 9). IT security series part 1: Information security best practices.
Retrieved from http://www.corporatecomplianceinsights.com/information-security-best-
practices/
Snyder, J. (n.d.). Six strategies for defense-in-depth. Retrieved from
http://www.arubanetworks.com/pdf/technology/whitepapers/wp_Defense-in-depth.pdf
