Post the required critiques
Management Briefing: Identity Governance & Administration
Contains unread posts
Jake Hughes posted Nov 8, 2017 1:41 AM
Managers of Sifers-Grayson,
As the company continues to expand and Sifers-Grayson’s use of the Internet through means of business and communication, threats begin to arise that may not have been there before. Safeguards are in place to prevent harm to individuals and company secrets/information, but they are also implemented to keep honest people honest. This company may largely employ members of the community and promote from within, but as expressed before with the expansion of the company, it is important to deploy more protection from insider threats. Accidental or malicious, these threats need to be mitigated and prevented. This concern can be mitigated by implementing certain policies to lessen the privileges allowed to employees and with an identity management solution.
To begin, it is important for Sifers-Grayson to enforce separation of duties and least privilege. “Separation of duties is often synonymous with the ‘two-person’ or ‘four eyes’ rule wherein a task can be completed only with the participation of more than one employee” (Miller, 2017). For example, an employee that has the privilege access and approve funds, as well as, write company checks for billing. This employee has the power to allow the access of funds, write the check and sign it, and can proceed to cash it at any bank. Separation of duties will prevent this insider threat from happening. Enforcing least privilege will restrict the access or privileges to only what is needed for their job. “For instance, your organization may manage privileges so that interns can read or write files only within specified directories, but not execute programs or reconfigure user settings” (Miller, 2017). This is also useful for access to specific files and folder, restricting users to what they “need-to-know” and nothing more. An efficient way to accomplish this would be to implement role-base access controls (RBAC) and group policies.
With separation of duties, least privilege, and RBAC’s, the process of requesting and creating user accounts will be more monitored and more thorough. This will ensure one employee is responsible for requesting the creation of user accounts with certain roles and privileges. While another employee is responsible for confirming that the employee is getting proper roles and privileges that pertain to their job requirements and nothing more. This employee can also be responsible for creating the account after confirming the least privilege policy is being enforced within the request.
To assist with enforcing Identity Governance & Administration (IGA), it is important to implement a data classification policy. It is important to train employees to understand the data classification levels, implement the classification levels, and ensure employees are assigned with appropriate classification that is required to complete their duties. “Organizations may consider a similar classification system, which could include categories such as Company Public, Company Confidential, and so on” (Silowash, Cappelli, Moore, Trzeciak, Shimeall, Flynn, 2012). This will help keep individuals without the need-to-know from accessing unauthorized data, preventing this type of insider threat.
By implementing the separation of duties, least privilege, and data classification policies, Sifers-Grayson will be able to continue business as usual while preventing and detecting insider threats. This way we can direct our main focus on possible vulnerabilities from outside threats and ensure company and client information is secured to the best of our abilities.
References
Miller, S. (2017, July 26). Separation of Duties and Least Privilege (Part 15 of 20: CERT Best Practices to Mitigate Insider Threats Series). Retrieved November 08, 2017, from https://insights.sei.cmu.edu/insider-threat/2017/07/separation-of-duties-and-least-privilege-part-15-of-20-cert-best-practices-to-mitigate-insider-threa.html
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012). Common Sense Guide to Mitigating Insider Threats (4th ed., p. 19, Tech. No. CMU/SEI-2012-TR-012). Software Engineering Institute. doi:https://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf
"You need a similar assignment done from scratch? Our qualified writers will help you with a guaranteed AI-free & plagiarism-free A+ quality paper, Confidentiality, Timely delivery & Livechat/phone Support.
Discount Code: CIPD30
Click ORDER NOW..
