Most companies have stringent security procedures. And in most companies, the security experts are usually exempt from these procedures in some way, under the pretext that this is needed in order for them to do their job as easy as possible. It must be understood that these experts are not superhuman or super honest, and restrictions also need to apply to them.
This post is triggered by a recent article in a Norwegian paper 'Security agent gets child porn sentence'.
Apparently, a National Security Authority agent managed to download 99 CD's of child pornography before he was discovered and arrested. This supports my point that security personnel are just ordinary people, and obviously some side on the criminal side. It is quite common to apply the "Do as I say, don't do as I do" philosophy.
On the other hand, these persons are given a very wide authority, responsibility and trust within a company, since it is their job to maintain security.
Regardless of given responsibility and authority, controls must be put in place for all employees. Any security expert trying to circumvent these controls has a hidden agenda, and red flags should raise immediately.
Here are 8 tips that should be observed for the company's security experts:
- Security experts should use a standard user account on all systems (without administrator privileges)
- Security experts should not be authorized to bring in and install foreign software except in special documented circumstances
- Security experts should not have administrator password of any computer systems
- Security experts' Internet access should be subject to the same rules as the rest of the organization. If exception is required due to business reasons, such exception should be provided via a guest access network for the laptop
- If the security expert's laptop is subject to special treatment (granted administrator password, installation of foreign software etc.) should be treated as hostile in the corporate network, and be allowed only guest access to mail and Internet. Also, in such circumstances, no corporate specific software should be installed on the a laptop
- Security experts should be subject to the same software security and audit policies that apply for other employees
- Security experts should have very limited privileges to access corporate systems - access only to log review, with a read only privilege.
- All documentation given for review to the security expert should be tracked, preferably in copy (send via digitally signed email, use corporate mail with archive tracking)
Talkback and comments are most welcome