Embedded Files
Administrative Security
Administrative Security
Provides the means to control people's operational access to data.
Least Privilege
Least Privilege
We give employees the minimum necessary access they need, no more, no less.
Need to know
Need to know
Even if you have access, if you do not need to know, then you should not access the data. (Kaiser employees).
Separation of duties
Separation of duties
More than one individual in one single task is an internal control intended to prevent fraud and error.
We do not allow the same person to enter the purchase order and issue the check.
For the exam assume the organization is large enough to use separation of duties, in smaller organizations where that is not practical, compensating controls should be in place.
Job rotation
Job rotation
For the exam think of it to detect errors and frauds. It is easier to detect fraud and there is less chance of collusion between individuals if they rotate jobs.
It also helps with employees burnout and it helps employees understand the entire business.
This can be to cost prohibitive for the exam/real life, make sure on the exam the cost justifies the benefit.
Mandatory vacations
Mandatory vacations
Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it.
Their accounts are locked and an audit is performed on the accounts.
If the employee has been conducting fraud and covering it up, the audit will discover it.
The best way to do this is to not give too much advance notice of vacations.
With the combination of all 5 we minimize some of the insider threats we may have.
NDA (non-disclosure agreement)
NDA (non-disclosure agreement)
We covered NDA's between our and other organizations, it is also normal to have them for internal employees.
Some employment agreements will include a clause restricting employees' use and dissemination of company-owned confidential information.
Background checks
Background checks
References, Degrees, Employment, Criminal, Credit history (less common, more costly).
For sensitive positions the background check is an ongoing process.
Privilege monitoring
Privilege monitoring
The more access and privilege an employee has the more we keep an eye on their activity.
They are already screened more in depth and consistently, but they also have access to many business critical systems, we need to audit their use of that access.
With more access comes more responsibility and scrutiny.
Report abuse