Handling sensitive information
One of the hardest incident types for an incident handler to address are incidents in which a properly authenticated and duly authorized user decides to misuse her privileges.
Imagine a situation in which an employee has access to human resources records for legitimate reasons.
As an information security professional charged with protecting that information, the assessment if someone should be granted access (and if so, under which conditions) must be made by the information owner and not by me. In the example, if the owner of the HR database decides that a user has legitimate access, it is my job to provision that access in a controlled fashion.
Now, this user is supposed to only look up those people who
she is assisting, but instead she decides to see if she can also look
up information of other employees. In other words, she is engaging in
unauthorized use of resources, despite the fact that she has access. The ability to access information does not imply the authority to do so.
This kind of breach is not unusual, it happens to presidential candidates,
athletes, and other spotlight figures. Human curiosity can be a very
strong motivator and sometimes people do thing that they should not
have done.
How can we prepare so that an incident like this does not take place, and if it does, how can be limit its impact?
First
of all; make sure that your users know where to go when they find (a
perceived) vulnerability in your system. You want users to contact you
directly. This enables you to properly brief management and decide on a
strategy to address the issue. You do not want to find out that
something like this happens through rumor; and you surely don't want
management to find out before you know about it. Remember one of the
cardinal rules of dealing with management is: no surprises!
Secondly,
regular evaluations to decide if sensitive information is really needed
to get a job done or if it is merely a convenience, should be a regular
recurring activity. The decision on what is needed and what is desired
is something that end-users should make. The decision on whether
granting use of that information exceeds a certain risk-level is for
the information owner to make. The information security professional
guides and facilitates that process.
Thirdly, it is paramount
to have good audit controls in place. If someone accesses sensitive
information, you need to be able to know who did it, when they did it
and preferably how they did it.
Lastly (but not least!), you need
to have a clear policy in place that outlines the conditions under
which sensitive information may be accessed, and what the consequences
will be if someone does not follow those requirements. That policy does
not only need to be in place, it needs to be communicated, and it must
be enforced.
Update: typo fix. Thanks Kevin!