Page 442 - Using MIS
P. 442

410       Chapter 10  Information Systems Security

                                    methods and careful user account management. In addition, appropriate security procedures
                                    must be designed as part of every information system, and users should be trained on the
                                    importance and use of those procedures. In this section, we will consider the development of
        Read more about how to secure
        the security system in the Security   human safeguards for employees. According to the survey of computer crime discussed in Q2,
        Guide on pages 418–419.     crime from malicious insiders is increasing in frequency and cost. This fact makes safeguards
                                    even more important.

                                    Human Safeguards for Employees
                                    Figure 10-14 lists security considerations for employees. Consider each.

                                    Position Definitions

                                    Effective human safeguards begin with definitions of job tasks and responsibilities. In general,
                                    job descriptions should provide a separation of duties and authorities. For example, no single
                                    individual should be  allowed  to both approve expenses and  write checks.  Instead, one per-
                                    son should approve expenses, another pay them, and a third should account for the payment.
                                    Similarly, in inventory, no single person  should be  allowed  to authorize  an inventory with-
                                    drawal and also to remove the items from inventory.
                                       Given appropriate job descriptions, user accounts should be defined to give users the least
                                    possible privilege needed to perform their jobs. For example, users whose job description does
                                    not include modifying data should be given accounts with read-only privileges. Similarly, user
                                    accounts should prohibit users from accessing data their job description does not require.



                                               •    Position definition
                                                  – Separate duties and authorities  "OK to pay this."
                                                  – Determine least privilege
                                                  – Document position sensitivity






                                               •    Hiring and screening
                                                                                              "Where did you
                                                                                               last work?"




                                               •    Dissemination and enforcement
                                                  – Responsibility
                                                 – Accountability             "Let’s talk security..."
                                                  – Compliance


                                               •    Termination
                                                  – Friendly                         "Congratulations
                                                                                     on your new job."




                                                  – Unfriendly            "We've closed your
                                                                          accounts. Goodbye."


        Figure 10-14
        Security Policy for In-House Staff
   437   438   439   440   441   442   443   444   445   446   447