Have you ever wondered about the source of information for WikiLeaks ? Was it an employee with malicious intent, a lost mobile phone or a discarded hard disk? Most companies which feature on WikiLeaks have probably got some kind of audit done on the source of the leak and then put together a control measure. Here we take a look at some of the most common information security audit “observations” and what is the reality .. as far as the counter-measure goes.| Scenario | Business Observation | Reality Check |
| Theft of data from network resources | Network transmission was not encrypted and that it should be encrypted | Security offered by network layer begins and ends with the transmission. |
| Misuse of file by authorized personal or by unknown person | Files and folders are not protected and therefore all confidential files must be password protected.The security of a password protected file is easily lost once the user open the password protected file | Do you remember the password of all files that were shared with you over the last 6 months? Did you keep a common password for all your files even though you are sending the files to different people? |
| Process document or credit card statement data were reprinted by employees or external print service provider | There is no control over printing and therefore printers should be in a secluded location which has physical access control.Data sent to external vendor should be encrypted and the vendor must be contractually obligated to delete the data after the first print. Physical control over printers in the office does not really control printing and the associated data loss. | What if a vendor relationship ends on a hostile note ? When does the vendor inform you about a lost laptop, lost USB drive or an exception taken to a NO-USB policy. Can you for sure block individual employee/vendor from misusing the data ? |
| Employee who should not have access to a folder on the file server had access and misused the information. | Access permissions on the file server folders is not configured properly. There should be a formal approval workflow before access is granted to any folder of the file server. Access should be removed as soon as it is not required. Employees can share information with their colleagues via email. | Permission removal never really happens |
| Ex-employee as well as trusted consultants misused information and systems after the relationship or project ended. | All employees and consultants should sign a strict non disclosure agreement (NDA) . Employee ID should be disabled as soon as he / she has left the organization. Disabling ID does not necessarily mean disabling access to all information. Copies of information can easily be made before a resignation is tendered. | Detection of a NDA breach and enforcement of corrective measures are extremely difficult and long drawn out processes and the person responsible for the breach knows this ! So now what do we do ? |
The biggest challenge with audit recommendations and the corrective controls is that each of the recommendations focus on a particular “risk”. The specific scenario may not get repeated with the control being implemented but it creates a new “scenario” which will come up in the next audit.
The final objective of most information security audits is not audit of information systems but audit of information itself ! Once this fact is accepted then a comprehensive “control” for information control is the obvious next step.
To perform an information audit a persistent, information-locked method of monitoring ( and controlling ) information is the first step. Information Rights Management (IRM) systems offer such a capability. IRM systems like Seclore FileSecure allow the company and the security auditor to discover
- WHO has used / misued the information
- WHAT has the person done with the information (viewed, edited, printed, etc..
- WHEN has the person used the information (date & time) & from
- WHERE did the user access the file ( computers, networks, …)
Ref links : RBI IRDAINDIA
Posts
0 comments:
Post a Comment