By human nature we are scared of ghosts, less because they may be ugly, more because we don’t exactly know what they are. Darkness induces fear in us as our subconscious mind fears the unknown that may creep out of the dark.
Let us not deny that we all knowledgeable people are scared of IT Security, not because we don’t trust, but because it is largely unknown. Our fear makes us use gmail and yahoo as our official email I’d, our fear prevents us from activating our online banking, our fear prevents us from hosting our applications on cloud. These are all varying degrees of our unknown. However we also know that the longer we avoid these automation the further our competition will be from us.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu’s Art of War
So it’s important to know both yourself and your enemies. Let me ask you a couple of question so that you can judge how much you know yourself and your enemy.
- What is the exact count of the active employees in your organisation today?
- Do you know for certain that an employee who quit your organisation yesterday does not have access to any of your company systems?
- Can you prevent and control your employees from misusing confidential company information? – Customer information, contract information, accounts information.
These may be simple questions but are the primary building blocks to securing your information. If you have avoided these, no matter how many sophisticated firewalls you have deployed, your enemy lies within. This brings us to the first layer of security – The User Authentication Level.
You can do the following things to comply with this level:
- Implement a Payroll System with employee directory, entry and retirement process. Integrated Biometric Authentication preferred.
- Create an Active Directory with employee record enabling and disabling intimation from the payroll system. Read a case study here.
- Set user level access to company systems from the Active Directory.
- Use a Two-Factor Authentication System which will fortify access to critical information.
- Implement Single Sign on (SSO)
You can check the offerings from DS3.[/sociallocker]
If you already have an Active Directory in place, get it audited by an external auditor that can provide you with your industry benchmark compliance report. If you have an internal IT audit team in place, you can use some automated tools to perform periodic AD audits. Read more on Authentication from Internal Audit perspective here.
Compliance Standards for Guidance
You can check recommendations from SOX, ISO27000
Watch out for the next interesting session on Level 2 Security: Identity and Access Management