Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Access build-up a new concern for CIOs: security pro

Potential conflict between an organisation's security and its culture

The director of IT security at a national accounting firm has warned CIOs about the increasing level of administration access regular employees are gaining, calling it a “trust time bomb”.

RSM Bird Cameron’s IT security director, Jo Stewart-Rattray, said privilege policy management is a “hot button issue”, as a recent meeting of 16 CIOs highlighted.

“Many thought they were alone in dealing with this problem because it appeared to have an easy fix,” Stewart-Rattray said.

“The challenge is that addressing the user privilege vulnerability creates conflict between an organisation’s security and its culture. User privilege is often associated with trust. However, trust alone is not a control. Without adequate controls, this is a trust time bomb just waiting to explode.”

Stewart-Rattray said the culture of excessive user privileges on computer networks had developed over many years and people are accumulating extraordinary amounts of access that is not needed to do their job.

“One example was an employee who built up a remarkable level of computer network access during years at an organisation,” she said. “When a new employee joined the business, the manager said to copy the network privileges held by the long-serving employee, which is a ridiculous risk.”

Stewart-Rattray is the co-chair of an international taskforce charged with developing strategies to build intentional cultures of security within organisations.

“Cradle-to-grave user management has gone by the wayside,” she said. “CIOs are starting to recognise that there is a dire need for a life cycle management of users, but they are unsure of where to start.”

“One CIO said the challenge is to balance trust with an intentional culture of security. In some respects, because trust has existed historically, we are talking about an intentional change of culture, which is harder. In the beginning, security is intentional and over a period of time, it becomes automatic.”

Stewart-Rattray said privileged user management is a hot topic and a central tenet of this approach is the principle of least privilege.

“Rather than making every user a network administrator, [least privilege] gives each user just the network access required to perform his or her job,” she said. “Even system administrators should maintain a distinction between their privileged account and their day-to-day account.”

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: security, IT admin, authentication, access control
Latest Blog Posts
Whitepapers
  • How to Choose an SMB - Unified Communications as a Service (UCAAS) Solution
    The on-premise deployment of Unified Communications (UC) continues to be a source of considerable corporate angst especially for the Small to Medium Business (SMB) sector. IT research firm Gartner believes UCaaS will be adopted as an adjunct service by large enterprises and as a core service by SMBs before 2015. To help SMBs choose the best offering and develop a suitable roadmap Computerworld has prepared this special feature profiling the major offerings in the Australian market.
    Learn more »
  • Telephony and more Best Performance for your Business Communication
    Unified & Collaborative Communications (UCC) is currently a catchword in modern communication. At Aastra, this means that various media, such as e-mail, fax, video and, of course, telephony, are deployed together as a solution package.
    Learn more »
  • FIBRE CHANNEL SOLUTIONS GUIDE - state of the fibre channel industry
    Today’s data explosion presents unprecedented challenges incorporating a wide range of application requirements such as database, transaction processing, data warehousing, imaging, integrated audio/video, real-time computing, and collaborative projects. For nearly a decade storage area networks (SANs) have become mainstays for companies looking to increase storage utilisation and manageability while reducing costs.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.

HP and IDG news, product videos and resources