Five Golden Steps to Stopping the Sabotage of Sensitive Corporate Data
by Calum Macloed - Cyber-Ark - Tuesday, 3 April 2007.
2. Use effective but manageable encryption - methods that do not require administrative intervention removes the risk of keys being managed by systems staff. Symmetric encryption of data offers a solution that removes the need for human intervention, and eliminates the risk associated with recovering private keys. Data should be stored using the strongest algorithms available in the market, such as AES256 and RSA-2048

3. Backup Securely - Backup is a very critical component, and something that can be abused. It is absolutely essential therefore that any system that is used to backup data should do so in its encrypted form with no regards to the method of backup.

4. Segregation of Duties - There needs to be segregation between system management and data management. Additionally there should be hierarchies within data management, such as dual-control which can enforce checks and balances to ensure that highly sensitive data cannot be accessed unless authorisation has been given. If possible the access to, and responsibility for, data should be devolved to the relevant departments. For example there is no reason why anyone outside of HR should have access to HR data. There needs to be a flexible policy within departments so that users can manage other users who are at the same level or lower than them.

5. Proactive Alerting - By having automatic reporting of user activity, anytime anyone who is authorized accesses a sensitive file the system cannot automatically report this activity. By having this at departmental level ensures that management can identify potential inappropriate behaviour at an early stage since they are aware of the sensitive data under their control, and can thus identify misuse at an early stage

So what’s it to be? Are you going to get to grips with your data security or just hire honest Scotsmen? Doing nothing risks internal sabotage with the associated problems, and there’s only a limited supply of honest Scotsmen.


(IN)SECURE Magazine issue 45 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Mar 5th