Cyber-Ark Software: a set of business practices to increase security

Cyber-Ark Software: a set of business practices to increase security. The World Cup seems to have consumed all of our lives for the past few months. Scapegoats have emerged and so have the superstars. Things are no different in any other walk of life. Our association with success and failure stays with us, and the higher up the totem pole we are the more serious the consequences for our organisations and for ourselves.

Never before has the consequence of a lack of effective IT controls been as critical to the continuity of business. Investor confidence is inextricably tied to the reliability, accuracy, and timeliness of financial reporting. And financial reporting is virtually totally dependent on IT. Additionally the CTO, CIO, and internal auditors are responsible for the quality and security of information and systems, and yet although those in the position have a superstar status, frequently their unawareness and unwillingness to address the need for basic IT controls means that probably one in five will go from superstar to scapegoat in the next few years.

In many organisations the comment is frequently made that although they are aware that things could be improved they believe that they are not a likely victim. However, one in five companies are likely to fail IT audits, and the refusal of an external auditor to sign the financial statements due to audit exceptions can have drastic effects on a company’s value and investor confidence.

It therefore should go without saying that every organisation should have policies in place to ensure the safe-keeping of information – here are a few things to consider:

• Privileged user passwords should be kept in a secure location and kept to a minimum. They should be granted only on a “need to have” basis.
• Every privileged user account must have its own unique password and should be configured to change at least every 60 days. 
• The use of any privileged user account must have the accompanying audit trail. Consideration should be given to differing policies for development and production systems. Both production and development system passwords should be changed on a regular basis. 
• In production environments, all groups, regardless of responsibility or location, should adhere to a common policy. This implies that policies related to how privileged user passwords are released and the frequency of change should apply across the board. 
• External staff should never have privileged user access to a system using a guest or temporary account. Access should be granted via the default account, and the passwords should be immediately reset on completion of the task. 
• The privileged user password must only be released under strict controls. The policy must ensure that the password is directly changed after each use.
• A designated member of each team should be responsible for reporting each use of the firecall account to IT security, and the password should be changed within a minimum time period after the user has finished the necessary task. 

Best Practices are Vital

In order to ensure that an organization protects its interests, it must ensure that clear policies and standards are in place to manage and control who has administrative access.

Are you going to be the superstar or the scapegoat? At the end of the day it’s no good blaming the auditor if he shows you a red card – it could all have so easily been avoided if we’d only listened!!

Calum Macleod,
European Director Cyber-Ark

Contact:

Calum Macleod
Cyber-Ark Software,
Eindhoven, The Netherlands
Tel.: +31 621 827 253
Fax: + 31 402 568 317
calum.macleod@cyber-ark.com 
www.cyber-ark.com