How does your IT Security relate to a game of chess?
For those of you who have played the game of chess, you know that each piece has its specific role and rules of engagement. For example, the bishop can only move diagonally across the board and so on. The same is true in many organizations, each person has a role and responsibilities within the organization. With those responsibilities comes the need to know and have access to certain information.
From an IT security standpoint, we often find that organizations will take the path of least resistance and give everyone access to everything. Occasionally, we will find human resources and accounting data segregated and secured differently, but not always. When was the last time you reviewed your data overall? Where is it stored? What are the access rights? Do you have a corresponding written security policy that identifies categories of data and what job functions should have access to the information? Are you aware of what your legal responsibilities are to protect certain types of information?
As a simple example, employee birthdays are considered personally identifiable information. Here at IT Radix, we like to celebrate our team members birthdays which prompted us to think about how that information is stored in our system. In the beginning, we used to store this information in a place where multiple people could see the month and day but not the year. We have subsequently modified this to move it to a place where only the appropriate personnel can access it.
What about information like invoices, received payments, or perhaps information about your clients?
Should everyone have access to everything, or should some of this information be segregated out and specific security access rights be granted? Some industries such as insurance and financial services require that a security officer be designated. They have the legal obligation to perform security oversight to specific types of data which includes files and email.
Let’s take a closer look at banking information. Does your organization accept credit cards? In general, most do. Most organizations think that because the credit card is processed outside of their network that they are protected. But let’s review the scenario where a client calls in the credit card number and does not enter directly on an external ecommerce site. What does your team member do with the number? Likely they write it down (we’ll assume they shred this piece of paper later). Then they may launch the software that allows them to key in the credit card number to the processor. It might be a web browser or it could be your accounting software. What happens if the machine the person is using has spyware installed unbeknownst to them? The credit card number could potentially be compromised. And if the credit card is stored in your software—which it is if you’re using QuickBooks to process the credit card—you now have an even a bigger issue.
As you can see, it’s important to look at all aspects of your organization’s information: identify the types of data, identify who needs to have access and identify what are the areas of potential risk. And then, like in the game of chess, you need to establish the rules of how your team members can move around within your computer network including their own machines which may need to be locked down as well.
We encourage you to call us today to review your business processes and corresponding security access permissions to ensure that you can win the game of chess today!
First published in our February 2018 IT Radix Resource newsletter
