You are here

You are here

5 steps to evaluate your IT security policy

Elizabeth Lawler CEO, Conjur

In the wake of some of the biggest data breaches of 2015, risk and security teams are naturally worried about the safety of their data as well as their IT systems as a whole. To mitigate the endless stream of cyber threats, it is key for teams to evaluate all aspects of their IT security policy. This can seem like a monolithic task, but here are 5 steps to get started.

1. Everything must have an identity

To gain full transparency into your IT environment, it is essential that every user, machine, host, and service in your environment have an identity that is tracked and centrally managed. If you can’t see the scope of your infrastructure, it is impossible to comprehensively understand the security posture of any one system. There should be enough granularity to the identity network to understand how various organizations are interconnected, among people, machines, data flow, etc.  

2. Deploy and enforce access control from end to end

Many organizations don’t apply the same access control principles comprehensively throughout their IT systems. Instead, they focus on specific high-value systems or a specific set of users. Again, an identity cataloging analysis helps organizations see where the human and machine touchpoints are so that the necessary access control points can be put in place.

Role-based access control (RBAC) is the gold standard for classifying and organizing access controls into logical groupings. Having a flexible authorization system that can enforce access control policies across various kinds of users and endpoints is a key capability. Again, the granularity of the enforcement of access controls should be derived from the sensitivity of the systems you are trying to secure. 

3. Consistent policies

Security policies must align with your company’s business goals. If your goal is to work quickly, and you are using tools that help you move quickly, you need to be mindful of the threat surface created with new tools and new ways of working. Dynamic and scalable policies, rather than static and manual ones, help to expand the coverage of access controls and create a consistent posture throughout the organization. Policies should satisfy the needs of internal stakeholders as well as anticipate future changes that may be necessary to meet the needs of the business.

4. Cross-team alignment

It is crucial to make sure everyone on your team and across your organization understands what is going on. Facilitate meetings and teams that are cross-functional so that you maximize institutional knowledge. Make the policies human readable and transparent to staff who need to know the policy and best practices. This structure is also ideal because with teams, you can be sure that security is a responsibility in every single department and not just a concern of the security team.

5. Audit everything

Make sure you have an audit that shows forbidden actions and who is accessing what and when. Being able to audit everything serves a variety of purposes. It not only allows you to remain compliant, but it also provides management with easily digestible information. Audit trails mean there are no secrets and no guessing, allowing you to see firsthand that your data is safe.

When looking for a security solution, find one that is built into the application and works with it so that security does not become a barrier to productivity. You should also find one that works with the tools that you are already using. Not only does this save your team the time and hassle of learning all new tools, but it also means they won’t have to give up using the tools they love for ones that they do not understand. Whether your company has already experienced a breach or you are afraid your infrastructure is vulnerable, these 5 steps allow you to respond appropriately and thwart future malicious activity. 

Image credit: Flickr

Keep learning

Read more articles about: SecurityIdentity & Access Management