Following access control compliance requirements in a Windows environment

Windows administrators must ensure that access controls are established and maintained, in addition to knowing data access capabilities, to support compliance with each of these issues and to protect their IT budgets and their job security.

Specific regulatory requirements -- What regulatory requirements does your organization have? There are many possibilities. Table 1 lists a few of these access control requirements for some of the most widely applicable laws and regulations. Discuss these with your legal counsel, information security officer or privacy officer. Noncompliance with these laws and regulations could result in fines and penalties that take funds from your IT budget.

Table 1: Regulatory access control requirements

[TABLE]

Information security standards -- There is a growing trend within different industries to require applicable organizations to follow specific information security standards. Two examples are the Payment Card Industry Data Security Standard, or PCI DSS, for organizations that process credit card payments; and the Common Criteria for software and hardware systems used by the U.S. government. In addition, growing numbers of organizations are requiring their business partners and outsourced vendors to have Information Security Management System ISO 27001-certified systems built around ISO 27002 standards.

Table 2 lists a few of these standards requirements. Have a talk with your information security officer about these standards to make sure they are all being followed. If your company loses the ability to process credit cards or loses a government contract because these standards aren't in place, it could have a negative impact not only on your IT budg

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Table 2: Standards access control requirements

[TABLE]

Due diligence -- All organizations must follow due diligence procedures to follow their own policies. Organizations may be found guilty of unfair or deceptive acts or practices if they do not have information security in place to support their policies.

Due diligence applies not only to your own organization but also to your business partners to ensure that they have proper security practices. The Federal Trade Commission has brought many charges against organizations that violate Section 5 of the FTC Act, which prohibits unfair or deceptive practices. Table 3 lists a few of these due diligence requirements that resulted from established policies and contracts. Make sure your information security officer and you are on the same page when it comes to due diligence. If an incident occurs as a result of not following policies, the investigator will likely ask the IT department why you were not in compliance. Do you really want to be on the other end of that conversation?

Table 3: Due care access control considerations

[TABLE]

E-discovery -- Business leaders are becoming increasingly concerned with e-discovery rules, which generally provide the requirements for using computer technology and electronic information during the discovery phase in lawsuits. Every organization doing business in the U.S. must comply with the e-discovery rules.

Table 4 lists a few of these e-discovery requirements that Window administrators must know. The IT area will be expected to quickly find specific data items from all locations where it is stored when litigation occurs. It could be a career-limiting – or even career-ending -- moment if you cannot. Having controls and documented procedures in place to retrieve data quickly is a good thing for your business and for your job security.

Table 4: E-discovery access control considerations

[TABLE]

Unify access control requirements -- The best way to implement access control requirements to meet these many diverse issues is to establish access control settings to the common requirements that exist across all of the issues. Table 5 gives you just a few of the many common areas required by laws, regulations, standards and best practice policies.

Table 5: Windows access control considerations

[TABLE]

The bottom-line common denominator for all types of compliance requirements is that you must give user accounts the minimum access necessary for them to successfully fulfill their job responsibilities.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance. She is owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

Rate this Tip To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.