By Marc Jackson, Turnkey Consulting
All organisations use IT systems to support their day-to-day business. That ranges from email and instant messaging systems for communication, to document management systems for collaboration, to ERP systems for performing the majority of their business processes.
Who has access to what?
These systems require that access to functions that are inappropriate for certain individuals in particular situations is denied, whilst the relevant level of access to enable users to perform their job responsibilities is provided. It is often the case that access security, otherwise known as 'authorisations' or 'permissions', is regarded as a task for the 'techies'.
On occasion, a user will find they can't do something. This is usually because they shouldn’t be doing the activity in question (but have historically been given access to do so), or their responsibilities are changing and they are now required to perform additional tasks. Both situations must be dealt with in a proactive manner – but whose responsibility is it?
Authorisations or permissions are the gateway to data and functionality on the IT systems that support an organisation. Without adequate understanding and design of the permissions structures, users are not able to use the functions that they require. If incorrectly designed and implemented, the same permissions structures can also let users access data and functions that they should not be using.
Combining business with IT
Security administrators should have an appropriate level of technical knowledge regarding the system-specific security parameters and tools and an understanding of basic security concepts that help drive best-practice behaviour. They also need an appreciation of how the business works so that best-fit security solutions can be implemented, allowing security to become an 'enabler' rather than a bottleneck.
In addition, organisational 'ownership' of security is vital to ensure there is adequate control placed over who can do what in 'business critical' systems. For example, only the organisation can define the exact responsibilities of an accounts payable clerk. Investment of time and effort by the business in this area is crucial to drive fundamental security concepts within the IT systems themselves, as well as in the wider culture of the organisation.
There have been high-profile security lapses in data handling practices in both the public and private sector, but these and other types of security breaches can be avoided by maintaining a climate of security awareness that should be instilled in all layers of information management. No organisation can afford to ignore this if they are to safeguard confidential information.
Having appropriately skilled security professionals in charge of IT systems security, and ensuring security requirements and overall ownership of security is being driven by the business, should be interwoven in order to fully achieve security objectives. However, this is becomes increasingly difficult in the current economical climate when the investment in IT is reduced in various sectors.
A strategy for leaner times
The result of budget cuts is that the priority of security, incorrectly perceived by some as a non-value add function, is often reduced and reverts back into a reactive afterthought. The role of security administrator tends to be allocated to non-security professionals and becomes an additional responsibility to perform on a part-time basis, while the business devotes less and less time to this critical function and once again hands sole responsibility back to the ‘techies’.
The challenge during these leaner times is to maintain best-practice security principles by having the right people administering the systems. At the same time the business cannot afford to shy away from ownership, particularly as increased redundancies and salary freezes provide more motive than ever for disgruntled employees to use poor security to their own advantage.
About the company and the author:
Turnkey Consulting (www.turnkeyconsulting.com) is a specialist IT security company focused on combining business consulting with technical implementation to deliver information security solutions for SAP systems. The company was founded in 2004 by Richard Hunt and now has offices in the UK, Australia, Germany and the United States, servicing clients in Europe, the US and Asia.
Marc Jackson is the manager for audit and risk management at Turnkey Consulting. He has worked in the IT security and audit industry for the past decade. His career began as a security consultant at PricewaterhouseCoopers (PwC), where he specialised in SAP security implementations before moving into systems assurance work. He provided audit support services for statutory financial audits as well as Sarbanes Oxley compliance engagements, focussing both on SAP and non-SAP systems. Throughout his career, Marc has been involved in a number of security implementations and audit engagements working across a range of business processes and industry sectors in Europe and Asia.