Good password policy, control over critical and protected resources, proper account handling… It is seen across multiple, seemingly unrelated compliance regulations. That’s because regulators are trying to ensure simple, effective governance that can also be verified.
For many organizations, focus on a single regulation, sometimes even single requirements in a single regulation, might make it difficult to spot commonalities. As someone who talks to various customers around the world about complying with a variety of generic and specific regulations, I see a lot of the same basic requirements. They all seem to point to the same conclusion: get control of your organization’s environment with good governance.
A structured and controlled organization generally has a much easier time complying with requirements in regulations. The reverse is also true – if you have to comply with the requirements in a regulation, it’s something that can easily lead you to better governance overall for your organization. Here are a few best practices derived from the most common requirements that help lead to good governance.
Controlling your accounts
People in companies and organizations tend to move around; nothing is static for too long. Many employees have different access rights for different roles and responsibilities over time, but it’s rare to see organizations reviewing access control policies and permissions for users that move around. Well-maintained organizations provision people as they start at a company; many of them are even de-provisioning by removing all access that was assigned to an account.
Most have no problem asking for access to resources as they change jobs and roles – so that’s rarely a problem. What’s missing is ensuring access rights to controlled resources are removed or adjusted as job titles and roles change. The proper approach here is to understand what should be controlled, as well as registering changes to access. At that point, you have a manual process that can help identify people who should be removed. Remember, your organization’s controlled resources should be in your control.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.