THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Protecting your backdoor When it comes to IT Security and developing a plan to secure your organization, don’t forget to look at those companies or groups that you rely on for their services. Whom do I mean? I mean your vendors and the people that they hire to service your accounts. These people will have access to your business in ways that not many others may in your company. Vendor Selection Selecting a vendor is the most important thing you can do for your organization. With that in mind, if you want to have a secure business, you need to make sure the vendor has that in mind when they are doing the hiring of their personnel as well. Vendor selection is not just about the job the business will do for you, but also the people that they hire to carry it out. Below are some questions that should be asked when looking for a vendor:
It is important that you understand your vendor is hiring practices. Compliance Requirements If you are looking for compliance requirements, look no further than ISO 27001 for requiring a background check of not only vendors, but also for employees as well. Compliance with these requirements means that a comprehensive background check has been done on them and that if there were any discrepancies were found, that they are addressed and personnel that don’t meet the hiring criterial are not placed into roles that they not be approved for. Granting Access Whether you are looking for a vendor that will service your soda machine or someone that does your shredding. It is important that you understand your vendor is hiring practices. After you pick a vendor, granting them physical access to your business will be the next step if they are servicing your physical infrastructure or systems. Computer system access is another area that should be addressed. Granting access or the type of access should be based on the type of work that the vendor will be providing your organization. This is where Role Based Access Controls (RBAC) are enforced and implemented. The access should be limiting in scope and permission level. Control over these areas will allow the IT Security Professional to make sure that the vendor is not accessing systems that they are not permitted to access or the information that may be stored on them. Note: Firefighter accounts (these are accounts that have expanded permissions, Global Admins are an example of this type of role, although specific permissions may vary depending on your organizational policies) permissions and roles should be created and enabled only when needed. After the need is no longer there, they should be disabled or deleted and reset and ready for the next time they might be needed. Monitoring Accounts
Monitoring user accounts and user permissions is one of the key roles within the IT Security domain of responsibilities. This may be a part of the auditing process or during a review of accounts. Administrative accounts should be especially monitored and should have additional restrictions that normal accounts may not have. Some of these restrictions are:
Locking Backdoors When you contract with a vendor, you are taking a chance that they are taking the right steps that you need in employing the right personnel to do the work for your company. Sometimes this is not the case and you end up with someone that has malicious intentions and may want to harm your organization. This is where the IT Security Professional will be required to actively monitor (not passive monitoring after something has happened). Locking the backdoor is making sure that there are no administrative accounts that have been created during the time the vendor had access to specific systems. Whether they are working on Windows or UNIX systems, these should be monitored for additional account creation. If an account has to be created for whatever reason and has not been expressly discussed or outlined in the contractual agreement beforehand. Summary With vendors, it is important to keep in mind that they are there to help you and your business. Nevertheless, it is important to keep in mind that they can be a detriment as well and should be a benefit to your organization. Taking some preventive steps and having a clear delineation as to their specific responsibilities will ensure that you are protecting your business and assets.
0 Comments
Your comment will be posted after it is approved.
Leave a Reply. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|