Editorials

Policies and Procedures

If you’re not required by law to comply with external standards, does that mean you aren’t responsible for the risks of non-compliance. Sure, you may not have to prove compliance through some sort of audit, as you would if you were under PCI regulations, or some other standard. But, does that mean you don’t have to have the same diligence as if you were? Let’s look at a couple of things you would have to do as part of PCI compliance, and see what you think.

One of the things PCI compliance requires is the separation of development of your application and the management of a production system. For example, as a database architect, creating data structure and database code, I was not able to have un-supervised access to production systems, when working under PCI regulations. The same restriction was true for those writing application code. The regulation was created to minimize risk of individuals knowing the inner workings of the code to have the opportunity to cause the application to work in a malicious way without being detected.

Another requirement of PCI regulations was auditing. Changes to data were to be logged as to who modified what, and when. Even ad-hoc activity is audited. This provides the ability to track the actions of all production users.

Protected data was always encrypted when at rest. For example, before protected data was written into a database, placed in a file, it was encrypted. This assured that protected information required a greater degree of work to access once acquired. Once company I know of even encrypts data being received through FTP, rather than letting it get to a file system before it is encrypted.

These are some pretty painful requirements. If you are not working with credit card data, the primary reason for having to be PCI compliant, do you think these polices are less important? I contend that unless you are a sole proprietor and manage all of your own computer systems, there is some degree where each of these policies provide real protection.

It is not just our software code that protects us from malicious activities. Our policies and procedures have as much impact; maybe even greater impact. Let’s say your computer was captured in a phishing scam. If you have separation of production resources from those you use for Email, the risk to yourself and your business is greatly reduced.

If it’s just you, consider having a separate login for administrative functions and your daily work. Restrict your daily permissions to those necessary to perform your regular functions.

You get the point. As much as possible, isolate your production systems and permissions to when production administration is required. If your company is big enough, restrict the individuals as well. Remember that many hacking attempts come from your own employees, through indirect means like phishing, or intentional acts.

How much do you lock your systems down? Do you use different levels of protection? If so, what determines the need for more or less protection?

Cheers,

Ben