IT security success requires constant vigilance. Last year’s processes and tools may no longer be good enough for today. For a security incident to happen, you need one weak link in your IT security chain. To lower the chances of an IT security incident, review these seven neglected areas of IT security maintenance.
1) Asset Identification (Hardware and Software)
IT security cannot succeed if you do not have a complete and accurate inventory of your assets. Many organizations today use hardware and software asset management tools. These are valuable and well worth using. However, they are only as useful as you make them. That means regularly asking the question: what is likely to be missed by our system? How can we verify the completeness of the inventory? Periodically meeting with procurement and other business units will help you to identify additional assets on your network.
2) Third-Party Risk Assessment
Does your organization use consultants, contractors, or other third parties? If yes, those stakeholders can hurt or help your IT security situation. Part of your maintenance activities must include a review of your third parties. For high-risk third parties (e.g. core technology providers), consider reviewing the contract and requesting ongoing security monitoring.
Tip: Ask procurement or purchasing to formally engage IT security when new vendors are brought on board. This ongoing process will go a long way toward maintaining your IT security defenses.
3) IT Security Training
There are two ways to look at IT security training maintenance. First, you need to maintain the skills and certifications of your IT security professionals. This means supporting their interest in attending conferences, taking courses and learning new technology. If you’re not sure where to get started with specialist training, we recommend reviewing ISACA’s certifications. If you stop there, you will leave most of your employees in the dark.
Some companies in regulated industries like banking offer annual IT security training to all employees. If your organization does not provide such training on a regular schedule, question that practice! For non-IT security specialists, their knowledge of IT security is likely to decay over time. We recommend engaging the human resources department to discuss providing an annual or semi-annual IT security refresher training to all employees.
4) Privileged User Management (i.e. Principle of Least Privilege)
With great power comes great responsibility! That old saying definitely holds true in the case of IT security maintenance. Some less mature organizations hand out “admin accounts” and other powerful user accounts like candy. Others are more mature in their approach and only provide these accounts with a manager or executive approval.
From an IT security maintenance perspective, it is important to regularly audit privileged users on a monthly or quarterly basis. As a guideline, use the Principle of Least Privilege to guide your decision making. For example, a manager in the finance department would not need admin privileges for sales applications.
5) Reliance on Manual Processes
In IT security maintenance, there is a large amount of work to complete every day. There are incoming user access requests, support tickets and security vulnerability alerts to review. Inbound requests for help and assistance tend to become the most important. That leaves less time for proactive IT security work like researching new security vulnerabilities and providing advice to the business.
The root cause of this sense of overwhelm tends to be too many manual processes. For example, the IT security department may depend on a spreadsheet to manage user access requests. Using spreadsheets for IT security tasks increases risk because there is an increased chance of a corrupted file.
You can solve this problem by implementing a security software solution like Compliance Auditor. It keeps detailed user records, including the time of the last login. That feature helps you to detect inactive user accounts and remove them.
6) Manager Support For IT Security
Your IT security department can only do so much to promote effective IT security habits. To maintain your company’s defenses, you managers and supervisors to support security. Make it clear that you do not expect managers to become IT security experts. Instead, clarify your expectations in a simple checklist. For example, ask managers to review the following points on a quarterly basis:
- Employee Movements. Check which user accounts need to be removed or added when an employee joins or leaves your department.
- Employee Access Requests. Review the user requests that have come in recently. For example, if all business analysts are requesting access to a business intelligence application, suggest that IT make this access part of the standard profile for business analysts.
- Multi-Factor Authentication (MFA). Ask your employees about MFA. For example, do they have challenges using it while working remotely? As you learn about these issues, escalate them to IT for resolution.
From time to time, you may also ask managers to reinforce specific IT security maintenance tips. For instance, remind employees of the dangers of reusing personal passwords at work. For more guidance in this area, check out our previous post: Treating Password Reuse Disease In Three Steps.
7) Reporting & Monitoring
Without reports, you are blind. You will have no idea whether or not your IT security processes are effective. Unfortunately, reporting and monitoring are often a weak point. For example, you may rely too much on system-generated reports. These reports need to be carefully read with risk in mind. For instance, if a report shows you have a large number of inactive administrative user accounts, there is a high risk there. If those accounts are misused, there is significant potential for damage and fraud.
The Key To Improving IT Security Maintenance
For IT security maintenance to stay up to date, you need to make it easy for your employees. That means reviewing paperwork and restrictions to ask what truly adds value. In addition, you need to equip employees with IT security software solutions. At the end of the day, IT security will be ignored if it is perceived as too much of a burden.