Information Technology Reference
In-Depth Information
Auditors, Security and Words of Wisdom
The proof of the security pudding is in the audit review, so to speak.
However, security auditors will generally not sit down with you up front and
help you design an IAM system, because it could compromise the
independent stance they need to maintain. What they will probably do,
though, is give you some principles to follow. Here are some that we learnt
from our internal auditors:
Data Classification
Levels of sensitivity
An organisation's data can be grouped into several categories, e.g., Public,
Internal, Commercial-in-confidence, Confidential, Secret, etc. This
categorisation is key to understanding the levels of access that should be
granted to them, and should be carried out at the outset for any business
system or application. Operations on data should also be categorised by
sensitivity.
Access Management
Secure-worthiness
In general, it is wasteful to expend effort to secure a resource beyond the
value of the resource itself.
Privacy
This relates to the confidentiality level of the data being considered.
Encryption is one of the key mechanisms to ensuring privacy, and public key
cryptography is a fairly standard technology used in IAM systems. Most of
the security standards in the Identity Management area (AES, FIPS-140-2,
etc.) pertain to cryptography.
Least Privilege/Need to Know
Access should not be granted beyond the levels justified for a given purpose.
The need to implement this uniformly then creates the justification for role-
based access control mechanisms.
