Every Business Owner Needs to Know About IT SECURITY GOVERNANCE

The terms governance and security, as they relate to the prevention of a Ransomware or Virus disaster story, are significant. Most business owners, if asked, “Does your company have IT Security?”  answer overwhelmingly, “Yes!”  There are, however, many levels of IT Security, ranging from just OK to sophisticated, for both small and large companies. Regardless, few can confirm IT Governance policies.

If we dig more deeply into recent stories of IT Security breaches and data losses, we find a gorilla in the room that very few talk about: IT Governance policy. Commonly, we find the lack of these policies responsible for the breach.

For clear context, we need to define IT Security Governance: The process of setting policies and procedures for data management, system, and application access so that it is protected from unauthorized access and use.

In our experience, most organization’s IT Governance policy is simple, “Anybody in the company has full access to anything on their computer, applications, and data.” This is usually for good reason. If systems are locked down where IT Governance prevents access, it creates more challenges to accomplish tasks.

A good example of this is an IT Governance policy to disable a USB port, on a computer, for data access. For medical offices, it is a regulatory guideline, and security best practices, for users to be denied access to USB storage. This prevents the unauthorized copy of data to an insecure USB device, and/or a USB device being plugged in that transmits a virus to the computer.

Now, let’s consider user Sally is an admin at medical practice ABC. Sally schedules patients and collects Insurance data. She also attends seminars and works on marketing for the practice. Sally may require the use of the USB device to transport a presentation file. In this case access to the USB storage is a requirement. 

In this scenario, logic-IT would recommend creating a separate system account that has full access to the USB. Additionally, it would require the authorization of logic-IT support tech or other manager as a policy. Seems like a headache, right?  Sally would have to call in a service ticket and/or get a manager to apply the secure authentication just to copy a file to a USB device!

While this sounds painful, we see it work seamlessly within organizations that have trained, and taught, users around the importance of IT Governance.

By removing administrative privileges from Sally’s personal profile, we have increased its’ security from unauthorized access to the USB device. Even if we remove the requirement of outside approval (logic-IT or manager), the process of Sally signing in to a separate profile, with the full access rights, to copy the marketing file via USB is a more secure process.

There are still extra hoops to jump through, but they are critical to establish solid IT Governance policy. This keeps Sally, the computer system, and data safe. The goal is always to get away from the common (lack of) IT Governance policy “Anybody can get to everything, all the time.”

Want to learn more about IT Security & Governance?

Contact Allen Truett @ allen.truett@logic-it.net

or visit  https://www.logic-it.net