In my previous post, I discussed the first of four steps in how you can limit vendor risk. This month we will review maybe the most important of the steps, Step 2: Identify and Control Who is Accessing Your Critical Information.
Steps to identify and control who is accessing your critical information:
- Create an inventory of your critical information — Many organizations have a general idea where the critical information exists, but they don’t always know the specific file/server/database storage locations. Perform an initial inventory using a combination of scanning tools and interviews within the organization to identify where the critical information exists. Then ensure you have a view into all new applications introduced in the organization so that your list remains up to date.
- Know who is accessing your information — It is pretty easy to identify the administrators within the organization. However, do you know when they logged in last? Do you know what actions they performed and why? This is where a Privileged Access Management system like one of the following can help:
- Lieberman ERPM
- Beyond Trust
- CA PAM (Formally, Xceedium)
- Dell TPAM
These systems are not difficult to install. With some simple process changes in your organization, you can be well on your way to securing your critical information.
- Regularly review who has access to your critical systems – Frequent periodic reviews, recommended every 30 days, are essential to making sure those accessing you most critical information are appropriate. We will dive into a system that can assist in performing access reviews in my next blog post of this series.
- Ensure that granting access to these systems requires multiple approvers – The approval process should include the employee’s manager, the data/application owner and an independent governance/risk team. This will ensure the access is necessary.
- Limit the number of generic/service accounts – Organizations often have a significant number of generic/service accounts and many times do not know who owns or knows the passwords to these accounts. You should perform an inventory of these accounts and use one of the Privileged Access Management tools listed above to vault and manage the passwords for these accounts. If for some reason an account cannot be vaulted/managed, establish a risk exception process to document who has access to the account, require the password to be changed frequently and ensure all activity related to this account is recorded and stored for review.
If you do take action and perform the steps above you will be one giant step closer to limiting vendor risk.
Simeio Solutions can provide you with experts in setting up and configuring any of the above-mentioned Privileged Access Management systems. Simeio Solutions is vendor agnostic, supporting any Privileged Access Management software you may chose.
In next month’s post, I’ll discuss Step 3 – Ensure Periodic Access Reviews are Performed. Thanks for reading, I hope you have enjoyed.
Robert Streets, CBCP, CISA
Project/Service Delivery Manager