decrypting myths
It is not only vital
for businesses to
be GDPR compliant
but also to have
clear and tested
procedures in place
for when things do
go wrong.
files and systems. A removing access
policy and/or an employee termination
policy should be in place in advance.
When an employee leaves the business,
all access should be quickly removed.
Not just to the building but to devices
and software.
3. Utilise PoLP to limit access
to the essentials, especially for
short-term staff
When workers only stay in post for a
matter of weeks or months a Principle
of Least Privilege (PoLP) policy is an
absolute essential. This system sees
a new arrival start with no privileges
and only receive access to systems
and files they need to do their job. It
may seem a simple principle, but it
takes planning because many security
systems assign rights in groups rather
than to individuals.
Businesses should map all job
functions and what privileges they
need and avoid assigning privileges to
guests, members of the public or those
who do not need them.
4. Have a plan in place to deal
with an insider incident
Companies need to be able to initiate
security controls as soon as they
68
suspect an employee or employees may
be a threat to the business. 5. Be aware of what lack of
preparation means
This can involve invoking or honing
monitoring tools to begin to gather
evidence and determining the threat
and scale of the incident. Coordination
with legal counsel can be initiated early
to address privacy, data protection and
legal responses. Suspected employees
could have their accounts frozen or
they could be placed on forced leave
or job rotation to allow for a forensic
investigation to take place. For those organisations without the
appropriate controls in place, the
scenario may play out very differently.
It can result in increased damage to
the business in terms of data stolen
and reputation lost. Falsely-accused
employees may take legal action
against a business, while distrust of
the organisation may arise among
other employees.
Issue 09
|
www.intelligentciso.com