Keep an eye on your administrators. The people with the most opportunity to misuse or incorrectly share private data are the people with the most access. Compliance regulations usually require organizations to keep track of administrator activity Ė especially WHO is an administrator. While itís likely apparent to most people, keeping a log of administrator activity is key to maintaining a secure environment that complies with external regulations.
One item that tends to get overlooked is service accounts or highly privileged accounts that run applications or services. These accounts have the basic administrative access, plus the added benefit of appearing invisible to most inexperienced or naïve organizations. There are methods that can ensure service accounts are not being used for unintended purposes, alerting you when someone uses one of these highly privileged accounts for a purpose other than the one they are intended.
Assess, access and alert
In todayís world, data sets are so large and complex that it is hard to regulate who has access. When it comes to regulations and avoiding unintentional sharing of private data, you have to set the baseline and record the current access and permissions. To get a handle on your organizationís controlled resources, record where your organization is TODAY! If you donít understand who has access to resources you are missing a key piece of information; consider asking people to help you justify who has access and eliminate those who do not belong. Once you get control of access to these critical resources, you should set up alerts when that access changes, so you know whatís going on, and can address any mistakes or maleficence at a momentís notice.
Make it a policy to communicate
There are many good reasons to document and communicate what your organization is doing and how you are maintaining control of its environment. First, everyone in your organization will know that youíre secure and any suspicious activity is being tracked. Second, it is easier to train additional people should the need arise.
Next it makes updating your organizationís environment much easier when there is clear policy and processes in place. Finally, your superiors know youíre doing everything that needs to be done to ensure your organization is safe, secure and compliant with external regulations.
These are only a few best practices among many regulations that place controls over IT in an effort to be as secure and protected as possible. It would be easy for organizations to review compliance regulations and understand where the intention is to codify good policy and protect users and information. And while Iíve viewed this from the regulatory requirement angle, you could easily reverse and say, ďOur good security policies make it easier to comply with many external regulations.Ē Itís up to you to get in control and stay in control of your environment from both a policy and a regulatory standpoint. If there was an Amazon.com item for regulatory compliance it might say, ďIf you like good policy, you might also enjoy a much better (and more secure) IT environment.Ē