It’s that time of year; the auditors are out and organizations across the globe are assessing their security posture. To be compliant or not to be compliant… that is the question that auditors and security teams alike are out to answer. In the past, Active Directory has often been overlooked when a security and compliance assessment is performed. But, times are changing and auditors know that organizations are increasingly depending on Active Directory to hold business critical information or to act as a gateway to business critical/sensitive data. So, this year, when it comes to preparing for the inevitable audits, don’t forget to think about Active Directory when assessing your security and compliance posture.
To help you out, I thought I’d share a few tips to help you emerge from audit season with a smile on your face:
- Know who has access to what. A favorite question of my colleague, who was an auditor in a former life, is: “Can you produce a report of all your privileged users?” When you face this request, you should have a solution in place to quickly and easily produce a report that shows who has elevated privileges, and what those privileges are.
- Have a process for swiftly de-provisioning users. Oh the joy of discovering that someone who left the company two weeks ago (regardless of whether it was their choice or not) still has access to sensitive and business critical resources. That’s enough to make anyone’s stomach drop to the floor.
- Have a process to swiftly re-provision users. Organizations are dynamic and people move from department to department, and role to new role in the enterprise on a regular basis. Just because an employee had access to your HR system when they were in marketing, does not mean that they require that same access when they move into sales. Protect critical data by controlling and limiting access to it.
- Know the status of inactive accounts and do something about it. Put a process in place to automate the clean-up of stale user and computer accounts. Not only will this improve the quality of the information supporting your business, but it reduces the workload associated with this task (painful and mundane when done with native tools), and improves adherence to policy by ensuring that the task is consistently performed on a scheduled basis.
- Be prepared to demonstrate how you detect and remediate unauthorized change. The degree of risk associated with a data breach is the result of two things happening: first, your ability to detect an unauthorized change and second, your ability to remediate that change. The longer it takes for you to detect an unauthorized or malicious change, the higher the probability a security exposure will occur. This equals increased and unnecessary risk to the business, something auditors and security teams are not thrilled to find.
Although a comprehensive list of do’s and don’ts when it comes to compliance may prove to be quite difficult to list – especially since every company is different – hopefully these will get you moving in the right direction when it comes to improving the security and compliance of your IT environment, especially one that may be heavily dependent on Active Directory.
So, as we all gear up for a review of our security and compliance posture, feel free to share your tips/tricks for assuring that we all have a relatively painless auditing process this year!
Posted
Jan 28 2010, 01:24 PM
by
Erin Avery