Pin Me

Security Administrative Controls - Part 1

written by: Tom Olzak, CISSP•edited by: Bill Bunter•updated: 5/7/2010

Access controls prevent unauthorized people from viewing or stealing information assets and employees from accessing sensitive information and systems not required for day-to-day tasks. They fall into three general categories: administrative, logical (technical), and physical. This is the first in a series of articles that examines preventive administrative access controls. We begin with a definition and overview of security access controls.(This article is updated content from the book "Just Enough Security.")

  • slide 1 of 3

    What are Access Controls

    It isn't enough to build a world-class data center; you actually have to grant your employees access to it. But how do you control access in a way that enables the delivery of information when and where your users need it while preventing unauthorized persons from gaining access? Further, how do you protect the integrity of your data from the intentional and unintentional actions of both groups? The answer to these questions is the effective implementation of administrative, physical, and logical (technical) access controls.

    Access controls manage physical and logical access to system and network resources through policies, procedures, access control software, access control devices, and physical barriers. Their application should be based on a careful balance between mitigating risk to the business and maintaining operational efficiency. Locking down your information assets so tightly that it's difficult for your users to access what they need to do their jobs might result in a greater negative impact on your business, over time, than potential threats.

    The controls included in each of the three main categories - administrative, physical, and logical - can be further classified as preventive, detective, and corrective. In this article, we begin a review the preventive and detective aspects of administrative access controls. Corrective controls are the topic of a separate series on incident response and management.

  • slide 2 of 3

    Preventive Administrative Controls

    Preventive administrative controls are management policies and procedures designed to protect against unwanted employee behavior, including,

    1. Separation of duties
    2. Business continuity and DR planning/testing
    3. Proper hiring practices
    4. Proper processing of terminations

    Separation of duties

    Most positive business outcomes are the result of properly executed processes. When a single individual performs all steps in a process, that person has the opportunity to perform an intentional or unintentional act that may compromise the confidentiality, integrity, or availability of data. Fraud is also easy to commit.

    To eliminate or mitigate opportunities for unwanted behavior, separate each process into discrete tasks. Divide these tasks between two or more individuals. This creates an environment in which intentional wrongdoing requires collusion. There's also a better chance that mistakes will be caught as the process moves from one set of eyes to another.

    Business continuity and disaster recovery planning/testing

    Business continuity activities help protect the availability of your information assets. Included in these activities are incident response and disaster recovery processes designed to prevent security incidents from having a major impact on your business.

    Proper hiring practices

    Since the majority of security incidents are caused by the action or inaction of your employees, hiring the right people is a key administrative control. Two hiring practices help secure business information - background and reference checks.

    Background checks might simply consist of a simple phone call to local law enforcement for a records check. If an employer believes a more comprehensive check is required, there are online services that quickly perform national checks on prospective employees. The granularity of the check, and the magnitude of the security cost the business is willing to absorb during the hiring process, should depend on the sensitivity of the information for which the potential employee will be responsible.

    It's common practice for managers to conduct reference checks on potential new hires. However, these checks often deal only with the person's ability to perform. Performance assessments are sufficient if the data the person is to process daily has little value to the organization, or if management is willing to accept the potential risk. However, if the prospective employee is to regularly process sensitive or business critical information, there are two additional reference checks the employer should consider--character references and credit checks.

    Checking character references is a good way to determine whether a person can be trusted. Does the person consistently make commitments on which he follows through? Present and former employers may not be the best sources for this information. Law suits due to character-based comments made by managers about former employees have resulted in a large number of organizational policies against providing this kind of information. So you should include a request for non-employer references as part of the employment application process.

    Credit checks are another way to determine if a person is right for an open position. A credit check is not necessarily performed to determine if someone is susceptible to bribery; although this is important information if your organization possesses one or more trade secrets critical to your competitive advantage. Another important reason to perform a credit check is to determine the maturity of the individual and her willingness to accept responsibility. You can tell quite a bit from a credit report in which it's obvious that a person is consistently late attending to financial obligations, or doesn't attend to them at all.

    Proper processing of terminations

    During a person's employment with your organization, you might give him access to various information resources. In addition, you might issue him keys, badges, etc. When he leaves, the person processing his termination should follow a well documented process for removing his logical and physical access to all business assets, including your data.

    It isn't always easy to remove all data access rights from an employee who is leaving. Disabling or deleting operating system accounts is the easy part. It's finding all application and remote access accounts that may bypass operating system security that presents the greatest challenge. If your organization is small, I recommend maintaining a spreadsheet with a row listing each employee, which contains the applications to which she has access and the login ID for each application listed. Remember that the content of this spreadsheet is sensitive data. As a minimal safeguard, you should password-protect the spreadsheet file. A better solution is to purchase an inexpensive encryption program to encrypt the file.

    Larger companies may want to consider an Identity and Account Management solution. As the number of accounts increases, the cost of tracking and managing the location of accounts increases. The typical result of a manual solution is a long list of stale accounts in various applications. In addition to each of these accounts becoming a potential "gotcha" during an audit, they pose a significant risk to your organization. They contain passwords that never change. They also provide former employees with the means to access your information assets.

    Finally, ensure employees terminated for cause are not left alone within the physical limits of your organization after you inform them of their employment status. An employee terminated for cause should be escorted to his desk, watched as he packs his personal belongings, and escorted off the premises. Remove access to the network during the termination meeting. Most employers for whom I've worked provided notice to Security ahead of the termination discussion. Relevant accounts were disabled before the terminated employee left his manager's office. Finally, inform the security officers responsible for facility physical security to deny future access to the terminated individual.

  • slide 3 of 3

    Key Terms

    Collusion - Within the context of information security, collusion is the agreement between two or more individuals to commit an unlawful or unethical act.

    Stale Accounts - An account, either for system or network access, which has not been used during a predetermined period. For example, some organizations may consider an account stale if it hasn't been used for 60 days. The period used depends on the work, vacation, and travel habits of an organization's employees. In any case, stale accounts present significant security vulnerabilities. They should be disabled or deleted.

Additional Info
Additional Info