IT Manager's Handbook: Getting Your New Job Done (52 page)

Your users need to be made aware of security issues. For example, users should be aware of the security pros and cons associated with storing a file on the LAN versus on their local hard drive. They should be told how to password protect files that have sensitive information, and they should be aware of the risks of printing certain information to a shared printer.

Users should be in the habit of logging off at night or when they'll be away from their desk for an extended period of time—better yet, look to implement application time-outs, and screensavers, that automatically lock the screen or log out after a period of inactivity.

Finally—and often most commonly—users should be aware of the security risks associated with sending (or physically taking) company files to their home machines. All the effort you put in to safeguard the company's data can be superseded by an employee mailing themselves files to work from at home. This was a practice that was not even noticed a few years ago but is now a very large concern in today's very mobile and always connected environment.

Training Users

There are books, videos, consultants, and companies that can help you with this task. Like corporate safety, computer security has become an enormous industry in and of itself. Train users about passwords, locking their workstation when they step away, and logging off at the end of the day. Users must understand that security is not strictly about IT—your training should include topics such as notifying the security guard if they see a stranger wandering the halls unescorted, locking file cabinets and office doors, and using shredders for confidential documents. Also, don't overlook guidance and reminders about those purely innocent errors, such as leaving a confidential document in the copier or discussing sensitive information in a public area (like an elevator!). Most sales reps learn early never to discuss client names in public places regardless of how innocent the situation seems. However, non-sales people are often overheard talking about the challenges of dealing with Client X or Customer Y on subways, airplanes, etc.

Use these themes to regularly train your users in computer security. Security should be an ongoing theme in the IT department, and users need to understand it. Look to make it part of the new-hire orientation, as well as an ongoing program.

Be sure to consider generational factors when training your users, the younger generations may not take your concerns as seriously. A 2010 Accenture study and report found that Millennials are likely ignoring or violating your IT policies right and left, using non-standard applications and improvising where they think it makes sense. In addition, the Accenture study found that Millennials routinely bypass corporate approval when it comes to downloading and using technology (43 percent use non-supported instant messaging, and 31 percent rely on rogue open-source technologies). For more information about this issue, see the section
“Generational Issues at Work”
in
Chapter 2, Managing Your IT Team
on
page 57.

Employee Impact

As mentioned earlier, in the computer security world, finding the right balance between privacy, security and convenience can be very difficult. Users need to be aware of the fact that their computer activity at work is monitored and that that monitoring is done for a variety of reasons, including security—their own security, not just the company's security.

Most companies have policy guides that indicate that company resources (such as the phone system and computers) are for corporate use only—even if some personal use is unofficially acceptable. The policies will often also indicate that the company has the right to monitor usage.

The explosion in the use of smart phones—it is the rare person in the corporate world who does not have one nowadays—has caused this line to be blurred. What are personal phones, what are company phones, what are personal calls on company phones, what is company usage on private phones? If anyone asks you—and they probably will—the cleanest solution is to have individuals carry two phones. It sounds ridiculous but is not that rare. (It is not the occasional personal phone call or the checking-e-mail-while-on-vacation situation; it is the regular habit that causes problems for both parties.) But many organizations have adopted more liberal approaches, especially those with a Bring-Your-Own (BYO) program (see
Chapter 11, Connectivity: Social Media, Handhelds, and More
, on
page 287
).

Use Care When Surfing

Make your users aware that today's computing world is a complex network that requires a more conscientious and careful computer user. Of course it's certainly possible to accidentally go to an inappropriate website—we have all mistyped an address and found ourselves on a very different page from what we were expecting. But repeated travels to those sites will be noticed and acted upon. (See the section
“Intention Matters”
on
page 208
in this chapter.)

Action 5: Remember That Security Is an Ongoing Process

You'll never be able to say: “Okay, we're done, the environment is secure.” Security should be looked at as an ongoing, iterative process. The IT staff should always be on the lookout for ways to improve security. Audits and compliance activities should be viewed as welcome opportunities for continuous reviews of security.

8.3 Security Solutions and Technologies

With entire volumes dedicated to the subject of computer security technologies, a single chapter in an IT book that focuses on the business issues (and not the details of technologies) cannot do it appropriate justice. However, there are some basics you should be familiar with.

Tracking and Controlling Access

Carefully control and monitor who goes in and who goes out of your systems: who enters your systems, what they do there, and when they leave, as well as who enters your facilities and who and when they exit it.

Control Access

A critical component of controlling access is to follow the
Rule of Least Privilege
: users should only be granted the least amount of access to the system, and for the least amount of time necessary, as is authorized and required for their job. More access and longer access time allow for more potential problems. Firewalls, access control lists, and other security measures can authenticate users to authorized areas of networks without taking large risks and without spending a lot of money and time.

The rule originated in the
Orange Book
(part of the Rainbow series of Department of Defense books on computer security written in the early 1980s) and is officially defined as follows: “Least Privilege—this principle requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use” (
csrc.nist.gov/publications/history/dod85.pdf
).

The previous method of controlling access was called the “
M&M model
”: the idea was to make your system “hard on the outside and soft in the middle.” That model is being replaced by “de-perimeterization” techniques, which make your systems secure
throughout.

One method of achieving security throughout your system is to implement secure zones. A University of California information security site defines secure zones as “a combination of policies, procedures, and technical tools and techniques that enables an organization to discreetly protect its own information assets. It's a logical and physical environment with strong visible management support in which access privileges to all information assets are clearly defined and followed without exception.”

Tracking Activity

A variety of methods can be used to track activity:

•
System log files

•
Monitoring programs

•
Network mapping tools

•
Physical access

System Log Files

Almost every technology solution (both hardware and software) generates log files of activities. The level of detail that can be captured can vary tremendously from one product to another and is often configurable by administrators. Servers, desktops, business applications, operating systems, network hardware, and monitoring and management utilities—all have log files. Log files can indicate who did what, at what time, on which device, and from where. Log files can be used for basic troubleshooting or to investigate security issues. These files can be examined and monitored to track user activities.

Log files can be so voluminous that some vendors have utilities to allow for proactive monitoring of them so that pre-defined event types trigger certain types of alerts and actions.

Monitoring Programs

Similar to log files, tools exist that allow you to track all the activity of your network. In addition to the old standard of tracking sites visited, you can now monitor programs used and keystrokes typed. One example of this is a packet sniffer. A packet sniffer is a software package that can examine the data traffic on a network. Typically, a sniffer is used to troubleshoot and isolate network problems. However, it can also be used when investigating security issues. For example, a packet sniffer can be used to “trap” data to and from a particular device or can be used to look for particular content.

Network Mapping Tools

In larger environments, it can be a daunting task just to be aware of everything on the network. While the server side may stay relatively static, activity on the user-device side can be constantly changing with printer and workstations being regularly moved, replaced, and added; to say nothing of handheld devices and wireless connectivity. There are tools that can rapidly scan large networks and identify which hosts are available on the network. These tools can usually identify some key aspects of the devices, such as what type of device it may be (printer, workstation, switch), what operating system it is running, and so on. Tools like these can help identify oddities that need to be investigated (e.g., “Why are those workstations running server software?”).

Physical Access

In addition to obvious building security (door locks, access cards, etc.), physical access to IT areas should be controlled. Access to the computer room or data center should be limited to those individuals who require it. Other IT areas (e.g., wiring closets) should be locked. Because of the concerns of confidential content, printed report distribution should be controlled, and an industrial-strength shredder (or third-party shredding service) should be available to dispose of output that is no longer needed.

Traditional tools for tracking access within a facility, such as security cameras, access card readers, and sign-in sheets, should also be considered part of the arsenal. Reviewing these periodically (particularly sign-in sheets and access cards used for the data center) can be very worthwhile. Simply asking your company's security department to periodically review which employees have access cards that allow entry to the data center demonstrates that you need to partner with them as part of the overall IT security process.

Accounts and Passwords

Account Usage

There are some basic principles in setting up accounts that can help ensure that they aren't used for unauthorized activities:

•
You may be able to limit an account's usage to certain days of the week and hours of the day. This can be a worthwhile option for temps and consultants’ accounts.

•
You can often set an account to be disabled automatically at a certain date. This is also a good feature to use for temps and consultants, as these users often leave the company with no notification to IT.

•
You may want to consider limiting how many times a user can log in simultaneously, or perhaps limit it to two (so the user can log on from home even if they forgot to log out when leaving the office).

•
Review accounts periodically for usage. If an account hasn't been used, for example, in several weeks, it may be worth investigating. Perhaps the employee is on some kind of leave. After a defined time, you can disable the account. If there is no further inquiry about the account after another few weeks, it may be safe to assume that the account is no longer needed.

•
Unless otherwise justified and requested, new accounts should be given “plain vanilla” access privileges. Any request for additional access or privilege should be submitted in writing by an authorized individual.

•
Consider using special naming conventions for temps, interns, and consultants so that security administrators can spot them easily and monitor their activity quickly.

User Terminations

Although it's generally easy to ensure that accounts are created when needed (it's easy because the user keeps complaining until it is done), it's more of a challenge to ensure that accounts are deleted/disabled when they should be. Too often when an employee leaves the company, the IT security administrator is the last to hear of it. HR should notify IT immediately of any employment terminations so that IDs can be disabled and deleted. When an employee does leave the company, there should be a procedure for moving her files, e-mail, and so on to another employee's ID (perhaps a coworker or manager) so that there is no need for maintaining the terminated employee's ID. Look to implement automatic triggers to disable user accounts when an employee is terminated, or if the account has not been used for an extended period.