Public CIO - December 2008/January 2009 - (Page 20)

From a logical standpoint, it shouldn’t come as a great surprise that authorized IT users cause more damage than hackers. Staff and contractors need access to IT resources to do their jobs, and inevitably some of them will abuse that access. Joseph Thomas Colon had legal access to the FBI’s internal network in 2004 and 2005 when he stole 38,000 employee passwords, including that of Director Robert Mueller. The FBI spent millions of dollars to determine whether the theft compromised any information. IRS subcontractor Claude Carpenter accessed an agency server to log on to two other servers and insert code to wipe out the data on all of them. Carpenter hid his tracks by turning off system logs, removing history files and overwriting the destructive code after execution to make it impossible for system administrators to determine why the data was deleted. It was only his suspicious behavior after he was terminated that tipped off management. Public CIOs can severely restrict access privileges, of course, but that curbs productivity. The nature of government business demands that employees and contractors CIOs who want to implement a risk-based identity management strategy can divide the task into two broad areas: evaluating their current performance in the four main areas of risk exposure, and deploying technology tools and business practices to strengthen internal controls and improve oversight. What to Look Out For The first step a CIO should take in a risk-based approach to identity management is determining how the organization performs in the four most common areas of risk exposure: orphan accounts, contractor access levels, entitlement creep and separation of duties. Answering one question in each area will give CIOs the basic knowledge to plan their risk management strategy: 1. Are you at risk from orphan accounts? Orphan accounts occur when managers fail to remove access privileges when workers are terminated. A security incident in 2007 at Cox Communications — a terminated employee remotely shut down part of the company’s telecommunications network Nearly half of inside IT users “exhibited some inappropriate or concerning behavior” prior to an incident, according to the January 2008 report Insider Threat Study: Illicit Cyber Activity In the Government Sector by the U.S. Secret Service and Carnegie Mellon University. have access to strategic applications and data. Locking down systems disrupts workflows, which ultimately results in less responsive service for the public. But the alternatives are the status quo or trying to more closely watch every individual with access to an application or database. The former approach is already failing. The latter is difficult in small organizations and nearly impossible in large ones without adding layers of overhead that governments can’t afford. Despite these conflicting realities, risk-based identity management strategies offer a balance between access and governance needs without the large, added costs. Risk management is based on identifying employee populations most able to do damage by abusing their access privileges. It lets organizations prioritize and limit the focus of internal controls and audits. It’s key for reducing compliance costs and the burdens on IT staff. More importantly, by assessing and measuring risk over time, organizations can demonstrate that identity controls are working and effectively reducing corporate exposure and liability. account — demonstrates the business risk represented by orphan accounts. During an economic downturn, when layoffs or rumors of layoffs are an everyday occurrence, promptly removing user access is critical. Having the right controls in place to promptly detect and remove orphan accounts is a vital compensating control. 2. Do you know the access level of your contractors and temporary workers? Today’s corporations and government agencies rely heavily on contractors. For example, the U.S. Department of Defense does more than $100 billion worth of business with its top five contractors every year. Contractors and subcontractors often have access to sensitive systems and data, but in many cases don’t have their “active” status tracked in an HR or centralized system the same way as permanent employees. As contractors move on and off projects, proper access control can be a difficult challenge. 3. Are you a victim of entitlement creep? Entitlement creep occurs as workers accrue access privileges over time through transfers, promotions or simply through the normal course of business. They collect “entitlements” [20]

Table of Contents Feed for the Digital Edition of Public CIO - December 2008/January 2009

Public CIO - December 2008/January 2009 Contents Contributors Introduction Tense Times Insider Threat Twenty and Counting Labor of Love Putting Process Into Play Crossover Appeal FastGov CIO Central Security Adviser CIOs Pluck BlackBerry Phones From the Field Straight Talk

Public CIO - December 2008/January 2009

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.