Portals and Rails frequently focuses on external threats that pose risk for financial organizations and others involved in the payments value chain. However, insider threats can pose just as large of a risk as external threats. One need look no further than the recent National Security Agency (NSA) information leak to understand the magnitude of insider risk. These risks can be reputation-damaging and cause significant financial harm.
Although security and control procedures can mitigate the risk of insider threats, it is extremely challenging to thwart a rogue insider committed to stealing or leaking sensitive information or implanting malicious software. The following access and security management principles, while not exhaustive, provide a solid base for any organization maintaining sensitive data to mitigate the risk of an insider letting this data out the door.
- Never-alone: Certain sensitive and critical functions and procedures (such as modifying hardware and security software) should be carried out by more than one person, or they should be performed by one person then automatically reported and immediately checked by another.
- Access rights: Data access rights and system privileges should be based on job responsibility and the need to perform job duties properly, and should be kept current.
- Limited tenure: Employees with access to sensitive data or in security-related positions should never believe their position is exclusive or permanent. Some ideas for implementation include: employees in these roles should be randomly rotated and required to take mandatory leave without having access to the systems during their absence.
- Concurrent access: An employee should not have simultaneous access to production systems and backup systems, particularly data files and computer facilities.
- Close supervision: Employees with system and data access entitlements should be closely supervised and have all their system activities logged. Access to these logs should be off-limits for these employees. Changes to highly sensitive data records should be immediately reported through messaging to supervisors for immediate review.
On the heels of the leak, the NSA director stated that the agency would institute the "never-alone" policy going forward. This approach may be better late than never, but perhaps it is a signal that the leadership of this organization recognizes and values the importance of data security, an important overarching principle in the Risk Forum's opinion.
Has your organization incorporated all or some of these principles into data access and system security procedures? What other principles has your organization put into place to mitigate insider threat to data security?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed