Preparing for an information audit

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

A constant concern of many organizations is how to improve security or ensure that they meet audit needs. Though this is a top concern, they assume that any type of solution that can help them will cost a tremendous amount of money and time, so instead they opt to continue performing security functions manually. They also assume that because they use several cloud applications, they cannot use a solution to properly secure their network.

The reality is that manually ensuring security is time consuming, leads to error and can actually end up costing more than if the company had a software solution in place.

Two ways that an organization can easily and cost efficiently ensure that they are meeting not only security needs but also audit and compliance laws are with role-based access control (RBAC) and two-factor authentication. These two solutions can make a dramatic difference in the way that organizations handle their security measures, and allow them to efficiently address their security needs, as well as any requirements established by the government.

Meet audit requirements
Often, organizations have trouble keeping track of who has access to what applications and systems. Employees share credentials, give each other login information, and accounts are often not properly disabled after an employee leaves the organization.

This is an obvious security concern since many systems contain critical data, but this also can cause problems or organizations complying with regulations, such as Sarbanes-Oxley, which requires organizations to provide a list of employees that have access to critical applications like financial data.

When it comes time to audit, system admins often spend a considerable amount of time figuring out what employees have access to which systems, and then correcting any issues – like inappropriate access — that exist within the organization.

Role-based access control (RBAC) can be extremely beneficial in assisting organizations to easily meet security and audit requirements. RBAC is a solution for implementing management of authorizations across an organization and assigning privileges on the basis of roles rather than assigning access privileges to individual users. These roles, in turn, comprise the department, title, location and cost center associated with an employee, insuring that every employee has access to systems and data that are consistent and appropriate for their role in the organization.

Many organizations assume that the process of implementing RBAC is long and expensive so they hold off on the implementation and continue to perform the task manually. The truth, though, is that there are solutions that assist in the process of implementing RBAC and provide a more immediate benefit.

Several solutions offer the possibility for a quick implementation by using the HR system as a data source, and collect the departments, titles and locations of all employees. They then pull data from Active Directory, which provides the group memberships associated with employees in the various roles. Finally, to ensure that employees in similar roles have identical access they compile the data from HR and AD and distribute reports to the employee’s managers for review and correction. An RBAC application, coupled with an identity management system, should have the capabilities to implement the changes made by the managers in an automated fashion.

With RBAC in place, organizations can easily see and correct who has access to what systems and applications. RBAC also makes it extremely easy when it comes time to audit, to provide a list of employees who have access to critical data. As the cloud has become more popular in use and vernacular, many organizations now rely on using mainly cloud applications. Many of these solutions also work for cloud-based applications to ensure that IT admins can have an overview of what users have access to in the cloud, as well.

Ensuring security of the login process
Another security concern for organizations is the login process. Administrators prepare strategies for protecting access against those who do not have permission to gain access to the critical data their organizations produce. Additionally, many compliance laws and regulations require organizations to show that they have security measures in place to protect that critical data.

Organizations frequently have a hard time securing the log in process. Requiring that end users use complex passwords often leads to other security issues. End users cannot remember several complex sets of credentials so they keep a password sheet with all of their credentials listed, to refer to when they forget, but there are easier ways that organizations can secure their systems without breaking the bank.

One of these ways is with a single sign-on solution in conjunction with two-factor authentication. Single sign-on solutions allow employees to have one set of credentials for all of their systems and applications for which they have permissions, eliminating the need for them to write down their credentials or store them in other unsecure ways.

To further ensure security, two-factor authentications require the user to present two forms of identification, typically a smart card and/or a PIN code, ensuring that someone who is not authorized to access information cannot easily login or access protected information. Like RBAC and SSO, two-factor authentication can be implemented for applications in the cloud.

Overall, solutions, such as RBAC and two-factor authentication, can improve security and actually reduce the amount of money and time that the IT department spends on security issues. Organizational leaders can be confident in knowing that their network and critical data is secure and when dealing with audits, they can easily provide all security documentation and quickly correct any issues without spending countless hours and risking fines from not meeting compliance requirements.