ANÁLISIS DE LOS RESULTADOS
1. Intervención docente
ANALYSIS ID BEFORE PLAN
PERCENT
IMPROVEMENT NEW VALUE
Quality Management worksheet completed for this element? (check box)
Employees
Find ways to organize employees into roles and develop access rules based on those roles.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Customers
Group customer access control requirements as you did employees. See if opportunities for role assignment exist.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Owners
Identify high-impact information and property particularly sensitive to owners.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Develop a sound and demonstrable access control plan around infrastructure particularly sensitive to owners.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Suppliers and Partners
Write an access control plan for any electronic information exchange and business-to- business networking you do with suppliers.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Worksheet 3.4 Business Worksheet for Authorization and Access Control. (continued)
BUSINESSPEOPLE: OWNERS
Protect owners by understanding their particular sensitivities. Owners have a vested interest in seeing that solid access control is put into place. They are particularly sensitive regarding access to financial information or other sensitive intellectual property of the organization that can have a rapid watershed impact should it be shared at the wrong time and/or with the wrong people.
Identify any information and infrastructure excessively vulnerable due to supplier or partner access control practices.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Information
For a complete viewpoint, develop an access plan in terms of discrete information and not necessarily infrastructure.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Identify where information is being managed by the wrong application, one preventing appropriate access control.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
Infrastructure
Look at it another way and, this time, reverse your thought process and define access in terms of infrastructure.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ When looking at infrastructure, again pay close attention to administrator access rights and minimize them.
______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________
BUSINESSPEOPLE: SUPPLIERS
Define any access control mechanisms applicable to suppliers. If, for example, you trade over a shared business-to-business virtual private network (VPN), carefully plan how you will achieve secure access con- trol for applications shared by all businesses. Define how systems that have nothing to do with shared applications will be shielded and secured.
BUSINESSPEOPLE: PARTNERS
Acknowledge the limits of trust. We sometimes let our guard down too far with partners. While trust is key to a successful business partnership, unbridled trust is simply unwise. Partners may become competitors, and relationships go south. The most common scenario is that an organization establishes a new form of partnership. Everyone is very excited, and an edict comes down to get systems and people working together. Unfortu- nately, the implementation quickly devolves into an either-or scenario wherein a partner is either given unbridled access to everything, as if he or she is an employee, or gets nothing at all. This happens because the concept of partner access control is not considered when most systems are originally deployed. Avoid this problem by thinking about it up front. Think about which security stack components might involve sharing of some kind with outside partners. Plan for a special partner/shared net- work segment, and develop an access control plan around it.
BUSINESS
Think about business, first, in terms of information. Think of access con- trol in terms of information and not necessarily applications, resources, doors, or network segments. This will enable you to plan a better solution. In some cases, you may discover that information is being managed by the wrong application. For example, a planner could list all information used to complete a customer order. He or she could then look at each application involved with this customer information. In some organizations, there could be a dozen or more applications involved in a given customer order. Is access control to customer information, in all of these applications, uni- formly implemented? What are the access control requirements for this information? These are the types of questions a security planner should answer when considering information and access control.
Think about business, second, in terms of infrastructure. This means emphasize administrator access. The alternate view of information access control is infrastructure access control. This is how we typically look at the problem. We consider an application or a file server and then implement access control around it. As part of infrastructure access
control, be sure to fully plan administrator access control to all infra- structure components.
Selling Security
Use Worksheet 3.5 here.
Selling security requires knowing what your audience needs to hear to embrace security measures. Here are some guidelines to follow when selling security to executives, middle management, and staff, respectively.
Executives. Explain to executives that a well-architected access control system will save the company money on administration costs. It will enable the company to add new employees more easily and to quickly and easily remove terminated employees’ access rights in a controlled and well-documented fashion. Such a system will also make it possible to introduce new applications that enhance business productivity at lower cost because there will be no need for a separate administration process for each one that springs up.
To supplement these statements, offer examples of applications that are important to the company and that could have been brought online sooner and more safely with a better access control plan. Point out that fewer steps will be needed to add an employee to the system and that, as the company grows, its administrative costs will be better controlled. Give specific examples of how future applications involving partners and suppliers might save the company money and enable it to compete more effectively; add that all this will be achievable with a properly designed access control scheme.
Middle management. Identify for middle managers specific business processes and staff activities that involve assignment, reassignment, and general usage of access control. Point out how quickly new employees can be added when they join the company or when there is a reorganiza- tion. Focus on aspects of security stack access control that can be quanti- fied in terms of well-defined business processes to which a staff
manager can relate. Talk in terms of better performance, more secure access, and lowered impact exposure.
Staff. Most staff members know the frustration of having to wait before getting configured for access to some resource important to their job. They typically see this process as one involving an administrator giving them a login account to an application they need to use. Explain to staff that the security plan will reduce the amount of time required to be granted access to new applications. Explain how system security will be enhanced and how, in the future, administrative delays may be reduced.
Worksheet 3.5 Selling Security Worksheet for Authorization and Access Control.