The World Cup is upon us and so for the next four weeks life comes to a standstill. Already meetings are being planned for the week after the final as everyone assumes that his or her team will feature on July the 10th.
One thing however is certain; someone will emerge as a superstar and there will be at least one scapegoat. Reputations will be made and lost in the four weeks, and no matter what they achieve or do not achieve after the World Cup, the tag of superstar or scapegoat will stay with them for the rest of their playing career. And things are no different in any other walk of life. Our association with success and failure stays with us, and the higher up the totem pole we are the more serious the consequences for our organisations and for ourselves.
Never before has the consequence of a lack of effective IT controls been as critical to the continuity of business. Investor confidence in business is inextricably tied to the reliability, accuracy, and timeliness of financial reporting. And financial reporting is virtually totally dependent on IT since virtually all business controls and business processes are automated. Additionally the CTO, CIO, and internal auditors are responsible for the quality and security of information and systems, and yet although those in the position have a superstar status, frequently their unawareness and unwillingness to address the need for basic IT controls means that probably 1 in 5 will go from superstar to scapegoat in the next few years.
In many organisations the comment is frequently made that although they are aware that things could be improved they believe that they are not a likely victim. However 1 in 5 companies are likely to fail IT audits, and the refusal of an external auditor to sign the financial statements due to audit exceptions can have drastic effects on a company’s value and investor confidence.
It therefore should go without saying that every organisation should have policies in place that ensure that an independent examination demonstrates that effective controls are in place within the IT infrastructure that offer the assurance that your organisation is aware of the risks and is actively taking steps to ensure compliance to company policies.
These policies should take account of the following considerations
1.Privileged user passwords should be kept in a secure location. The number of user accounts with privileged access must be kept to a minimum and passwords for these accounts must be changed on a regular basis. Additionally, organizations should enact policies that restrict access to privileged user passwords and administrative/root/service passwords to a “need to have” basis. By default, every instance of access to these passwords must have an audit trail. Every privileged user must have an account owner(s) who is responsible for controlling access to the account. This should allow for contingency procedures where any member of the responsible group can be authorized to release the password.
2.Every privileged user account must have its own unique password and should be configured to change at least every 60 days.
3.The use of any privileged user account must have the accompanying audit trail. Consideration should be given to differing policies for development and production systems. For example, privileged user access to a production system should only be possible with dual control, whereas a development system password may be accessible, within certain environments, without the need for dual control. Both production and development system passwords should be changed on a regular basis.
4.In production environments, all groups, regardless of responsibility or location, should adhere to a common policy. This implies that policies related to how privileged user passwords are released and the frequency of change should apply across the board.
5.External staff should never have privileged user access to a system using a guest or temporary account. Access should be granted via the default account, and the passwords should be immediately reset on completion of the task.
6.The privileged user password must only be released under strict controls. The policy must ensure that the password is directly changed after each use.
7.A designated member of each team should be responsible for reporting each use of the firecall account to IT security, and the password should be changed within a minimum time period after the user has finished the necessary task. If possible, those responsible for releasing the passwords should not be given access to the password itself. A daily audit report should be carried out to report use of any firecall accounts. Multiple IT security staff should be designated as having approval rights to authorize use, with a best practice of dual control.
Best practices are vital
In order to ensure that an organization protects its interests, it must ensure that clear policies and standards are in place to manage and control who has administrative access. Ultimately, the most effective approach is to ensure that the number of privileged user accounts on systems is kept to an absolute minimum. This will significantly ease the administrative burden for the organization, and with effective password management access is controlled at the entrance. For example it is easier to protect a system if each privileged user has to share the same account, rather than giving each user their own account. The more effective the controls at the entrance, the less one has to worry about having distributed controls. Practice has shown that once the number of individuals who may access a system exceeds three, it becomes exponentially difficult to manage the process.
The more privileged user accounts that are assigned, the closer auditors will scrutinize the policies, and especially the adherence to them. Another issue to consider is how to ensure that users are only given access under appropriate situations, such as when they are on duty or when they are working in an appropriate location. For example, releasing privileged passwords to the user in an Internet café with VPN access is not appropriate policy, no matter how urgent the situation.
Are you going to be the superstar or the scapegoat? At the end of the day its no good blaming the auditor if he shows you a red card – it could all have so easily been avoided if we’d only listened!!
The author is European Director of Cyber-Ark.