Printer Friendly

Eight rules of computer security.

Computers have become a routine part of the business world. They are so common that many people consider authorized access to an employer's computers a right, rather than a privilege. For information security managers, allowing authorized individuals to connect with and use computers belonging to an organization poses serious issues of authorization and control.

To make matters more complex, employees may be accessing company computers from home, from a hotel room, from an airport, or even from an airplane while in flight. Security managers must consider the appropriateness of granting privileges, the activities of those allowed access, and how to ensure compliance.

The risks involved are many. Among the most serious is the possibility that an authorized individual will discover--by chance or through testing--that an opportunity exists to use authorized access routines to perform illicit actions.

In a case involving such circumstances, an employee of a business in Arlington, Virginia, resigned. Many months later, an examination of accounting records, which tracked disk usage, revealed charges for disk space that could not be explained in the normal routine of that business. An investigation showed that the former employee was operating a private business using the company's computers. While authorized to access the computers, the individual had discovered computer activity was not tracked and that the validity and currency of computer accounts were not regularly audited.

In another case, a security officer who expressed a desire to learn computing was provided an account at a business in Massachusetts. Later it was discovered that the officer was using his access to obtain private personnel information, which he was selling for profit.

Based on good business control practices, the following rules can help keep computer use under control, while interfering only minimally with company operations.

Rule 1. All computer accounts must be based on some demonstrated business need. Accounts must be updated and periodically evaluated to ensure consistency with employees' job assignments. Automatic cancellation or downgrading must occur promptly as job assignments change.

No employee has a right to unrestricted access privileges. As a part of the employment contract, employees must be told that the computers and the information stored on them remain at all times the property of the company. The employee also cannot expect privacy when using the business computers.

The use of PCs or terminals at home, as well as the use of laptop computers, must be strictly controlled. The fact that an employee has been authorized to use computers at work is not necessarily justification for allowing him or her access from outside company facilities.

In all cases, employees should receive written security and control procedures explaining the company's policy regarding the protection of company information when working at home or traveling. While a company cannot practically enforce the rules in those circumstances, it is critical that the company establish minimum requirements so disciplinary actions can be taken if appropriate.

Rule 2. Only the minimum privileges should be provided. An employee working in the personnel department should not have access to accounting records; a person working in manufacturing should not be allowed to access engineering computers. Access to any system or file must be justified by specific reference to an assigned task. Mere concern or curiosity does not justify access.

Rule 3. Business policy must assign the authority to establish and control computer accounts. This authority should never be given to the computer operations manager, the security manager, or the information manager.

Rights to access computers are akin to rights to access company funds or materials. The manager responsible for the activity or department in which the employee is assigned must make decisions about granting computer access. Since such access should be based solely on business requirements, the manager is the appropriate authority for such decisions.

Rule 4. Effective control requires a coordinated effort by key company departments. The authorizing manager, the company personnel manager, the computer operations manager, and the information security manager all have important roles to play. The activity must be coordinated through proper procedure to ensure timely actions based on changes in the authorized employee's job status.

Each of the following events requires an immediate response, as indicated:

* Change of job. The authorizing manager must determine whether the current computer privileges should be continued or changed to fit the new job responsibilities that are assigned.

* Change of location. The acquiring manager must determine whether a change in computer access privileges is called for. In no case should a transferred employee be permitted to retain accounts in the previous location if the computer in that location is not the usual one supporting the new job function. Multiple accounts assigned to one individual on different, dispersed computers threaten a loss of control.

* Employee termination. The computer operations manager and the security manager must immediately and formally be notified when an employee is to leave the company. The appropriate accounts must be cancelled and the disposition of remaining computer files determined by the employee's manager. Deletion or forwarding of electronic mail files for the accounts must also be determined.

Rule 5. Adequate records of accounts must be maintained to allow rules 1, 2, and 3 to operate. Records of computer accounts should be kept secure. If the primary records are on a computer, backup paper copies of all authorization documents should be maintained.

At a minimum, computer access authorization records should include the following:

* Employee name and ID number

* Authorizing manager's name and department

* Employee's job code or job nomenclature

* The unique account identifier assigned, typically user name or user identification

* Authorized approvals by the functional manager and the computer operations manager

Rule 6. Accounts with special privileges must require special approvals and must have special restrictions. Accounts with privileges should be severely restricted to those few individuals requiring such privileges to maintain business operations.

Access to privileged accounts should never be granted for personal convenience or because an individual has unusual skills. Accounts with special privileges should never be used for routine work, but only for the special activities for which that account was established.

Rule 7. All computer access authorizations and the records reflecting account activities should be frequently audited by disinterested parties. Just as the cashier is required to balance out payments, receipts, and funds at the end of each day, the computer authorizations records should be periodically checked against employee assignments.

Authorizations to use company computers may be validated by checking against the employee's name, job code, and location. All three should match with the authorization record and the account record.

Rule 8. Procedures should accommodate all cases. The exceptional situations in which individuals may request access to accounts may include the following:

* Retirees may wish to continue to have access. The company should have a rule governing this case, considering that retirees are no longer employees in a legal sense and therefore have no obligations to the company.

* Contractors or consultants may require access to company computers to perform required work. In these cases, the same procedures as those used for employees should apply, except that the company may wish to establish more rigorous approval requirements.

* Employees on disability may want to maintain access. This decision should be based on the legal situation regarding disability leave in the state in which the employee lives. In some cases, granting access might jeopardize disability rights.

* Suppliers or customers may want access for business purposes. A special procedure should be established to handle such cases and ensure that the requestor has a bona fide business justification for such a connection; the approval is provided by senior management and is never considered routine; and the overall security and control provided for this access is appropriate to the information and activities intended.

Although the routine and repetitive work necessary to maintain and monitor computer accounts may be bureaucratic and tedious, it is nevertheless essential to protecting a vital business resource. Security managers should keep in mind that while employees may be trusted individually, it cannot be assumed that employees do not pose a threat to the company's computers and information.

Good resource management implies that the company know at all times who has access to what information and that these access authorizations are current with valid business requirements.

James A. Schweitzer is an information security consultant in Essex, Connecticut. He is a member of the ASIS Standing Committee on Computer Security.
COPYRIGHT 1993 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Computer Security
Author:Schweitzer, James A.
Publication:Security Management
Date:May 1, 1993
Previous Article:Power pollution protection.
Next Article:Facing the challenges of the 1990s.

Related Articles
Awareness made easy.
A memorandum of agreement.
Legal reporter.
Ten immutable laws of security.
An introduction to cryptography, 2d ed.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters