Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Access build-up a new concern for CIOs: security pro

Potential conflict between an organisation's security and its culture

The director of IT security at a national accounting firm has warned CIOs about the increasing level of administration access regular employees are gaining, calling it a “trust time bomb”.

RSM Bird Cameron’s IT security director, Jo Stewart-Rattray, said privilege policy management is a “hot button issue”, as a recent meeting of 16 CIOs highlighted.

“Many thought they were alone in dealing with this problem because it appeared to have an easy fix,” Stewart-Rattray said.

“The challenge is that addressing the user privilege vulnerability creates conflict between an organisation’s security and its culture. User privilege is often associated with trust. However, trust alone is not a control. Without adequate controls, this is a trust time bomb just waiting to explode.”

Stewart-Rattray said the culture of excessive user privileges on computer networks had developed over many years and people are accumulating extraordinary amounts of access that is not needed to do their job.

“One example was an employee who built up a remarkable level of computer network access during years at an organisation,” she said. “When a new employee joined the business, the manager said to copy the network privileges held by the long-serving employee, which is a ridiculous risk.”

Stewart-Rattray is the co-chair of an international taskforce charged with developing strategies to build intentional cultures of security within organisations.

“Cradle-to-grave user management has gone by the wayside,” she said. “CIOs are starting to recognise that there is a dire need for a life cycle management of users, but they are unsure of where to start.”

“One CIO said the challenge is to balance trust with an intentional culture of security. In some respects, because trust has existed historically, we are talking about an intentional change of culture, which is harder. In the beginning, security is intentional and over a period of time, it becomes automatic.”

Stewart-Rattray said privileged user management is a hot topic and a central tenet of this approach is the principle of least privilege.

“Rather than making every user a network administrator, [least privilege] gives each user just the network access required to perform his or her job,” she said. “Even system administrators should maintain a distinction between their privileged account and their day-to-day account.”

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: access control, authentication, IT admin, security
Latest Blog Posts
Whitepapers
  • Oracle Exadata Database Machine Warehouse Architectural Comparisons
    Exadata is Oracle’s fastest growing new product. Much of the growth of Exadata has come at the expense of specialized data warehouse appliance vendors. These vendors have published competitive comparisons to Exadata, claiming: Architecture is what really matters for performance, Purpose-built data warehousing architectures perform best, They see architecture as an end in itself rather than as a means to an end. Read on.
    Learn more »
  • Information Security Policies, Standards and Procedure
    As a result of the adjustments in the way business is conducted, ownership of information does not carry the same clear accountability it once did. Physical and behavioural boundaries used to exist around information management but these can be missing in the modern workplace. Clearly thought-out information security policies, standards and procedures addressing internationally supported standards, will go a long way to addressing the risk exposure these changes have created. In this third paper, “Policies, Standards and Procedures,” we discuss guidelines for effective information security management.
    Learn more »
  • Pathways Advanced ICT Leadership Development Program Brochure and Course Outline 2012
    Developed by the CIO executive Council in conjunction with Rob Livingstone Advisory, Pathways Advanced is a 12-month CIO delivered, small group, mentor based professional leadership development program. Pathways Advanced brings together best practice, thought leadership and business insights for today’s most promising ICT professionals
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments