Is Compliance Enough? How to Ensure Logical Access Control
The article goes on to criticize FERC performance in creating standards for protecting and securing the power grid and ensuring that the industry complies with those standards. The audit found that the cyber security reliability standards or Critical Infrastructure Protection (CIP), developed by the North American Electric Reliability Corporation (NERC) and commissioned by FERC, "did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls."
However, since maintaining compliance in all industries with regulatory bodies and compliance standards -- from PCI to HIPAA -- can be like chasing a moving target, perhaps FERC is not completely at fault. We all have to be responsible for coming up with a strategy that best protects our organizations' critical assets. We shouldn't be solely focused on the question "will we pass the next audit?" but also on "are we doing everything possible to protect our sensitive data?"
Equipping your organization and preparing for the next audit does not have to be a major headache, if you have the right strategy in place to identify, manage and track critical assets and ensure logical access controls.
The right strategy starts with putting a consistent attestation process in place throughout the organization that includes integrated delegation functionality for managers, a consistent workflow that allows you to change group owners and manage groups effectively and develop reports for stakeholders in order to track ownership changes to better manage the compliance process.
Access to critical data within an organization should be determined by a person's role and need for the information and should be reviewed regularly. This is why putting a process in place that requires integrated delegation among managers and data owners is so important. To do this successfully, the IT manager should be in sync with line-of-business-managers throughout the organization and have an understanding of what an employee should and should not have access to. This is particularly important with contractors working for your organization, as this access is often overlooked and mismanaged. The notion of "trust, but verify", applies as disgruntled former employees or temporary workers cannot be expected to be as loyal. Limiting their access to only the data that will allow them to do their jobs is often enough and can protect your organization's critical assets, especially if the user has to be let go abruptly. And having a clear picture of all employee access (from office access to remote access) is especially important.
Once specific access is determined based on roles or other requirements, IT managers and supervisors should regularly review that access, as frequently as every 3-6 months. This will make it easier for the IT manager to immediately and correctly remove all employee access the second an employee leaves the company and frequent reviews of all employee access can help all parties to spot an inconsistency before it becomes a problem.
And if you are managing employee access on a worldwide basis, consistent attestation is especially important. In the case of managing international access, you should set IT access policies by geographic region first, then further by employee role and responsibilities. Narrowing this down will help you to stay in line with compliance standards for privacy, no matter which country you are operating in. It will also allow you to create reports for stakeholders by region.
If you follow these steps you'll find that achieving compliance, and more importantly securing critical assets, is not as challenging as it seems.