General advice on how to control location, access permissions and the use of confidential information in an organization
In today's corporate realities, a large amount of information important for organization is stored as so-called unstructured or semi-structured data as separate files and folders in file storages, collections of SharePoint sites, e-mail archives on Exchange servers, etc. The growth of such data is, on average, about 30-50% per year. Moreover, at such a rate, not only the quantitative growth of the volume of bytes consumed for storage (often with the Giga prefix or more and more often Tera-) occurs, but also a qualitative increase in the important or even vital data necessary for the company, “spread” by one or more 20-30) file servers with different operating systems, ideologies of information storage and processing (Exchange, SharePoint, Windows, SAN / NAS).
All this raises a number of problems to ensure the security of such data, optimize their storage and the overall management tasks and alignment of the processes of interaction of the organization’s employees with such data. Such an extensive list of tasks can be successfully solved by involving employees from different departments, such as: traditionally IT departments involved in the system administration of computer resources of the company, information security management employees interested in minimizing the risks associated with leakage or damage or otherwise harmful to the company using confidential information. Also, in many organizations, in addition to technical specialists and information security officers, the purpose and importance of using specific information are best represented by the company's core business units: lawyers, accountants, sales staff, etc. Involving such employees as “data owners” makes a valuable contribution to the task of ensuring data security, updating important information, etc. Consider the entire set of actions to optimize the processes described above and solve the identified problems in the form of top-priority recommendations that can be implemented in an organization with a set of measures, ranging from the development of appropriate regulations and internal policies, training of technical personnel and the introduction of technical means to ensure the implementation of these measures in the enterprise :
1. Access Matrix
The presence of an actual access matrix representing the situation with user rights “today” in an illustrative form for a specialist is the starting point in building data security policies, and also provides a comprehensive answer to questions from management and business users: who has access to this folder; obtaining a list of users and their rights to a specific resource of a department / department; analysis of access opportunities through global groups, etc. Already having such a picture of access rights, which can be quickly obtained for absolutely any folder, a lot can be done to secure the existing information, reducing the risks of leakage, misuse, etc. several times.
2. Classification of available information
In practice, there are often situations when important information with which employees work is contained in folders with names like “!!! For Masha, ”and confidential information with the numbers of employees' payroll cards and the conditions of tenders are distributed by users to different folders of the file resource (or new folders are created in unexpected places with names that do not say anything). All this information needs to be found, to understand who has access to it and determine it in the locations specified for storage.
')
3. “Data Owners”
As noted above, the one who works with them has a better understanding of the value of data. Involving the staff of specialized units in the process of solving problems of managing and security of information can not be superfluous in the successfully maintained system of working with data on information resources. Involving such employees as “Data Owners” of a specific folder, providing them in a clear form of information, who has access to their folder, who specifically worked in it, for example, for the last week gives security officers, as feedback from these employees, drastically A new and extremely effective tool to determine access rights to a specific folder to the minimum necessary level.
4. Audit employee actions
Monitoring the current activity of users on file storages allows you to see who accessed, deleted, modified, or tried to access data to which there is no access. Taken together, this allows for general monitoring of a file resource, to see folders where activity is high or vice versa, and to increase the efficiency of information storage by moving it to faster or slower disk shelves. It also becomes possible to easily monitor appeals to personal data of employees, which is currently a legal requirement, to effectively investigate incidents involving the deletion, copying of information by specific users, etc.
5. Prompt notification of events on the file system
In addition to the fact of having information about user activity and other events on file storages, for business and organizations it is very important to alert and respond to the occurrence of an event. The presence of such tools that allow you to receive at least a letter to the mail, SMS message to the phone of the responsible employee is a valuable tool in preventing facts of information leaks (copying to flash drives, etc.), damage to information (viruses to remove / encrypt data), violation of corporate storage policies information on file resources (placement of data on leadership bonuses in the folder "!!! For All"). Ensuring the reaction time of responsible employees to such events from several minutes to several hours will allow promptly stopping such incidents and preventing the facts of inappropriate use of information at the initial stage, significantly minimizing possible harmful consequences.
6. Securing the progress achieved
Creating an access matrix, clearing global groups from ACLs for a specific folder, etc. - carrying out all these actions once actually devalues ​​the work of doing this work, because over time, user rights will change, IT specialists will provide access for new employees to new folders, the number of such folders will inevitably grow, their names will change, etc.
The optimal way out of the situation here is the ability to provide and establish a formalized process of providing access to resources on requests, in which the user will be involved, as the initiator of the process, responsible IT or IS employees who exercise general control, “Data Owners”, who make decisions - and Does access to "my folder" specifically this employee? Also, in order to effectively control access to data and information services, a process is needed to periodically review access rights to critical resources for an organization, so that an employee responsible for a given resource must decide for whom, from the existing list of users, leave and who take away.
Based on experience, it can be noted that the set of measures and recommendations listed in the article can be a good starting point for building data retention policies and understanding what result should be obtained as a result. All these measures will improve the security of available information, increase the efficiency of its use, and for employees of information and security departments, will reduce the amount of time associated with solving routine tasks in administering and ensuring the security of file storage, as well as gaining a clear understanding of the possible risks associated with inappropriate using data and ways to minimize these risks.
All this raises a number of problems to ensure the security of such data, optimize their storage and the overall management tasks and alignment of the processes of interaction of the organization’s employees with such data. Such an extensive list of tasks can be successfully solved by involving employees from different departments, such as: traditionally IT departments involved in the system administration of computer resources of the company, information security management employees interested in minimizing the risks associated with leakage or damage or otherwise harmful to the company using confidential information. Also, in many organizations, in addition to technical specialists and information security officers, the purpose and importance of using specific information are best represented by the company's core business units: lawyers, accountants, sales staff, etc. Involving such employees as “data owners” makes a valuable contribution to the task of ensuring data security, updating important information, etc. Consider the entire set of actions to optimize the processes described above and solve the identified problems in the form of top-priority recommendations that can be implemented in an organization with a set of measures, ranging from the development of appropriate regulations and internal policies, training of technical personnel and the introduction of technical means to ensure the implementation of these measures in the enterprise :
1. Access Matrix
The presence of an actual access matrix representing the situation with user rights “today” in an illustrative form for a specialist is the starting point in building data security policies, and also provides a comprehensive answer to questions from management and business users: who has access to this folder; obtaining a list of users and their rights to a specific resource of a department / department; analysis of access opportunities through global groups, etc. Already having such a picture of access rights, which can be quickly obtained for absolutely any folder, a lot can be done to secure the existing information, reducing the risks of leakage, misuse, etc. several times.
2. Classification of available information
In practice, there are often situations when important information with which employees work is contained in folders with names like “!!! For Masha, ”and confidential information with the numbers of employees' payroll cards and the conditions of tenders are distributed by users to different folders of the file resource (or new folders are created in unexpected places with names that do not say anything). All this information needs to be found, to understand who has access to it and determine it in the locations specified for storage.
')
3. “Data Owners”
As noted above, the one who works with them has a better understanding of the value of data. Involving the staff of specialized units in the process of solving problems of managing and security of information can not be superfluous in the successfully maintained system of working with data on information resources. Involving such employees as “Data Owners” of a specific folder, providing them in a clear form of information, who has access to their folder, who specifically worked in it, for example, for the last week gives security officers, as feedback from these employees, drastically A new and extremely effective tool to determine access rights to a specific folder to the minimum necessary level.
4. Audit employee actions
Monitoring the current activity of users on file storages allows you to see who accessed, deleted, modified, or tried to access data to which there is no access. Taken together, this allows for general monitoring of a file resource, to see folders where activity is high or vice versa, and to increase the efficiency of information storage by moving it to faster or slower disk shelves. It also becomes possible to easily monitor appeals to personal data of employees, which is currently a legal requirement, to effectively investigate incidents involving the deletion, copying of information by specific users, etc.
5. Prompt notification of events on the file system
In addition to the fact of having information about user activity and other events on file storages, for business and organizations it is very important to alert and respond to the occurrence of an event. The presence of such tools that allow you to receive at least a letter to the mail, SMS message to the phone of the responsible employee is a valuable tool in preventing facts of information leaks (copying to flash drives, etc.), damage to information (viruses to remove / encrypt data), violation of corporate storage policies information on file resources (placement of data on leadership bonuses in the folder "!!! For All"). Ensuring the reaction time of responsible employees to such events from several minutes to several hours will allow promptly stopping such incidents and preventing the facts of inappropriate use of information at the initial stage, significantly minimizing possible harmful consequences.
6. Securing the progress achieved
Creating an access matrix, clearing global groups from ACLs for a specific folder, etc. - carrying out all these actions once actually devalues ​​the work of doing this work, because over time, user rights will change, IT specialists will provide access for new employees to new folders, the number of such folders will inevitably grow, their names will change, etc.
The optimal way out of the situation here is the ability to provide and establish a formalized process of providing access to resources on requests, in which the user will be involved, as the initiator of the process, responsible IT or IS employees who exercise general control, “Data Owners”, who make decisions - and Does access to "my folder" specifically this employee? Also, in order to effectively control access to data and information services, a process is needed to periodically review access rights to critical resources for an organization, so that an employee responsible for a given resource must decide for whom, from the existing list of users, leave and who take away.
Based on experience, it can be noted that the set of measures and recommendations listed in the article can be a good starting point for building data retention policies and understanding what result should be obtained as a result. All these measures will improve the security of available information, increase the efficiency of its use, and for employees of information and security departments, will reduce the amount of time associated with solving routine tasks in administering and ensuring the security of file storage, as well as gaining a clear understanding of the possible risks associated with inappropriate using data and ways to minimize these risks.
Source: https://habr.com/ru/post/259889/
All Articles