Establishing and enforcing policies that limit employee access to sensitive data and IT systems are one of the most effective mitigation strategies against a malicious insider (Brancik, 2008). There are a number of strategies that organizations can implement in order to better secure their digital assets. A good starting place would be to ensure that the security policies in place mandate robust access level controls via a roles-based authentication ensuring easier management and control of resources. A Roles-Based Access Control (RBAC) enables the assignment permissions to users, who perform specific functions. Vacca (2013).
In addition to this, the organization should enact specific policies that implement:
- Principle of least privilege, where every program and every user of the system should operate using the least set of privileges necessary to complete the job. Salzer & Schroeder (as cited in Schneider, 2003). This will ensure only employees that really need to access the resource have authorization.
- Separation of duties, to carefully manage the responsibilities and access levels of different employees that need access to a range of data administration functions, and those who are involved in security administration functions.
- In certain situations systems warrant defense in depth strategies including but not limited to dual administrator controls should be implemented, where, for example, two system administrators may authorize sensitive operations.
In addition, employee access control should be tightly integrated with the Human Resources function. Policies would need to be put in place in order to ensure that whenever an employee leaves the company, all access privileges are immediately suspended. When an employee changes roles, his or her privileges should be assessed and updated as appropriate.
Finally, while the level of access employees have to systems will help deter damage, we also need to limit the impact of changes and updates to records that can be carried out within normal procedures. Appropriate backup systems, logging, and auditing all need to be part of a security initiative to limit the overall damage any given person could cause.
References:
Brancik, K. (2008). Insider computer fraud: an in-depth framework for detecting and defending against insider IT attacks. Auerbach Publications. Books24x7 version. Retrieved from http://common.books24x7.com/toc.aspx?bookid=26442
Schneider, F., B. (2003). Least Privilege and More. IEEE Security and Privacy, 1(5):55–59, September/October 2003. Retrieved from:http://www.cs.cornell.edu/fbs/publications/leastPriv.pdf
Vacca, J. (2013). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann Publications