Saturday, March 22, 2008

Least privilege

It is easier to start with full restrictions then allow escalation as needed than to start with full privileges then take them away. As an experiment you can give free coffee away at the office, noting that it is for a "limited time", but when the time comes people will still expect the free coffee. Now compare that to providing coffee on special occasions, or occasionally as it is needed. The same concept applies with access to files and rights on their PC. If people have access to install any program they want or access any web site they want and you restrict their access in any manner they will most likely view it as you are taking a right away from them.

You need to create policies that have expectations of business security, and ownership or buy in from the employees. Give them training on computer security where there is WIIFM, What's in it for me, and the training can be something that is used at home. Make sure to provide both a carrot and a stick. Make sure the wording is positive rather than negative, restricting the "user privileges" on your machine make it tougher for spy ware to spread or even get installed in the first place" rather than something more like "we're taking away administrator/power user rights for security".

Set an appropriate time to set up the new privileges or make it happen. Hiring a new computer company or using your existing company to do an analysis or some basic reporting on your systems can show where the deficiencies exist. After a virus or spy ware outbreak would be a perfect time to review your current plan and implement something new, especially if users were adversely affected during the outbreak. Make sure IT is not the cause of things being taken away and that they are not seen as the "bad guys" in your organization.

--Tim Krabec

No comments: