Thursday, July 10, 2008

Blinded by necessity: Avoiding Dr. No

Often requests come in for vetting that don't reflect any risk awareness on the part of the requesting party. In many cases, the person making the request is normally security conscious, follows the rules, and treats data and systems carefully. For one reason or another, this request is different, and it is needed right away!

Why the gap?

Necessity, or at least perceived necessity. In the end, most of these requests are driven by an organizational need for immediate response. A project needs to be completed, a new hire is in place and needs access, or senior management has made the project that caused the requirement a priority.

Dealing with these priorities is one of the more challenging day to day issues that security analysts face because they are one of the easiest ways to become known as the local security obstacle. Even if your normal answer is "yes, and here's how to do that securely", the high priority, snap decision requests will get bogged down due to their nature - they're different, they don't follow the rules, and they often involve unnecessary risks that could be easily avoided if normal processes were followed.

When I run into one of these cases, I ask a few simple questions:

1. What are you trying to accomplish?

2. Why are you requesting it this way?

3. How is this different from your normal operation?

4. What problems or costs are associated with not doing this the way you have requested it versus the via the normal process or rules?

Often, these answers will lead to a realization that the normal process does include what is needed. In other cases, it will be obvious that there is a need for a one-off variation, at which point risks can be properly gauged and handled.

No comments: