Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 60
Job Rotation and Privilege Creep
ОглавлениеJob rotation can be a powerful HR investment strategy that leads to increasing the knowledge and skills of a company's workforce while improving retention of quality personnel, but these are not the concerns of the SSCP. From a security perspective, there are many reasons for creating a job rotation policy. These include reducing risks of both insider and external threats, reducing dependence on a single person (who can become a single point of failure), and increasing resiliency for business continuity and disaster recovery (BCDR) purposes. Banking and investment companies, for example, have used (and have sometimes been required by government regulators or by law) such career-broadening or rotations strategies as part of their loss control and fraud prevention mechanisms.
We cannot overstress the importance of carefully managing what should be the temporary changes in user privileges during such job rotations. Far too often, privilege creep resulting from each job rotation (temporary or permanent) ends up with the user accumulating new sets of privileges with each new task, job, or skills-broadening assignment. Over time, this can lead to an individual having far greater insight into and control over the organization's information assets than should ever be allowed.
In practice, job rotation requires cross-training personnel for various positions and tasks within the organization. This may be within a particular business functional area or discipline, or it might involve a temporary transfer of an employee to other areas within the company. Some of the personnel in the security office, for example, might all be trained on the various roles in that office (such as log analysis, incident response, security training, or systems testing) as an intra-departmental job rotation and then learn more of the company's human resources or product development business via a career-broadening assignment.
Job rotation helps to mitigate insider threats in several ways. It serves as a deterrent for a potentially malicious insider actually committing fraud. In cases where separation of duties would necessitate collusion, job rotation disrupts opportunities for collusion. In cases where a malicious insider has found a way to mishandle data or abuse their access, job rotation disrupts them from doing long-term damage once they've started. The cross-training aspect of job rotation may also aid the overall security effort by reducing the potential for employees/staff to become dissatisfied and possibly become insider threats; skilled personnel appreciate receiving additional training and challenges of new tasks, and increased training opportunities make those personnel more valuable. Increased morale of skilled personnel reduces costs because of turnover and accentuates loyalty to the organization.
Alternatives to job rotation are forced vacation or leave. The logic here is that if a malicious insider is suppressing alarms, changing or erasing audit logs, or conducting any other activity to cover their tracks or support or assist an attack, this activity should be easier to detect if the suspected insider is suddenly forced to stay away from work. During the period of mandatory vacation, that user's account access should be suspended, and a thorough audit/review of their activity should be performed. This is especially important for those users with privileged access. For example, after the U.S. stock market crash and the collapse of its banking systems in 1929, Congressional action established not only such forced vacations but also frequent bank holidays during which banks suspended customer transaction processing while they performed extensive internal systems integrity checks; both mitigated the risks of fraud, embezzlement, and over-extension by the bank or its staff.
Another goal of job rotation is to keep malicious outsiders from being able to learn about your staff over time and trying to target or manipulate them for information or access. Reducing static patterns in personnel taskings and changing access roles repeatedly reduces the opportunity for external actors to subvert particular employees as targets.
Finally, job rotation also greatly improves the resiliency of an organization, essential in successfully executing BCDR actions. During contingency events or disasters, you must assume that some personnel will not be available/capable of performing particular tasks and functions necessary to maintain the organization's critical processes; having other personnel not normally assigned to those functions but trained on how to perform them is a great benefit and vastly increases the likelihood of BCDR response success.