As legislation to provide a national law to protect identity and data moves forward in the U.S. legislature, systems managers will find that they are increasingly being held responsible if a company’s data systems are compromised, according to security experts following legal and technology developments.
“Legislation is creating a new model; people are being held more accountable,” says Toby Weiss, senior vice president and general manager of CA’s security management business
Weiss and other security experts recommend these top 10 data/identity protection factors for systems managers:
1. Strong controls: Systems managers must have strong security controls. Everyone in the IT department has to be involved. Companies need to protect their financial data and the identities of their customers and their business partners. The role of the systems manager is to protect against any identity theft.
The first step in doing this, several experts agree, is to have company policies and procedures in place. While this will likely come from management above systems managers, they should still have input in the policies and procedures to recommend additional precautions that may not be in the initial rules, according to Scott Laliberte, a director specializing in information security systems for Protiviti, Menlo Park, Calif.
“Systems managers are the custodians of the data within their systems,” Laliberte explains. “They should help business owners translate business policy into controls that will help protect that data.”
2. Define sensitive data: The enterprise policy should also include guidelines for what is and isn’t sensitive information, says Doug Graham, senior consultant for BusinessEdge Solutions, Inc., East Brunswick, N.J. If these guidelines aren’t in the policy or are too vague, the systems administrator should ask for additional definitions.
3. Plan for outages: Another element of best practices is knowing what to do if part of the security system (i.e., a firewall) goes down, Graham adds. “Any data that needs to be protected needs to have a robust method of protecting it. You need be able to detect [breaches] monitor access and have a response if something goes wrong.”
4. Monitor internal, external developments: Systems managers should take an active role in monitoring trends internally and across different industries for changes in identity/data theft threats, according to several experts. Such knowledge helps systems managers have better recognition of any potential security attacks the protections that systems should include.
5. Manage access: The actual protection of systems comes down to simple entitlement management, Weiss adds. “The systems manager can easily run a report on who has access to what.”
People within and outside the organization, including systems managers should only have access to those systems and the information in those systems that they need in order to do their jobs, Weiss says.
While the systems manager may need access to more parts of more systems than most, there should also be a policy of checks and balances so that protection is built in. So two systems managers should check each other or there should be some other type of auditing mechanism, according to Weiss.