Welcome back to our series on the new Information Security Triad, or as I like to call it, VADD…or VADiD (If you missed Part 1, that's Visibility – Accountability – Defense-in-Depth). Let's settle on VADD for now. In the last blog, we talked about the 'V', which stands for visibility. Now that you have that, it's time to talk about the 'A' in our acronym – accountability.
Accountability means making sure every action can be tracked back to a single person, not just a group or ID. And it requires more culture change, and needs to be handled with a light touch.
To implement accountability, you can begin by eliminating areas where accountability is not clear. I see that every day – shared IDs with no password vault; use of default administrator accounts on firewall, routers, and servers, etc. Shared IDs are sometimes required, I understand that. But put accountability in wherever you can. If there is no opportunity to add a new ID in cases where IDs must be shared, such as IDs on appliances, use some form of password vault that checks passwords out and requires a new one to be checked back in. And get a vault that will alert if the password is out too long (visibility again).
- Make sure service IDs cannot be used to log in interactively. That can be set in Active Directory or nologin for Unix.
- Use alternate forms of accountability. In retail sales and nursing, sometimes devices must be shared. If you can install something like proximity cards to control logins, bully for you. But at least consider video recording so you can match event log entries to actions.
Policy plays a critical part in accountability. Make sure the company sanction policy is well distributed (in every policy, say), well known, and understood. Enforce it consistently - but try not to be too draconian about it. Make sure the actions taken as part of the sanctioned policy are proportional.
Working on acceptance begins with education as a primary response to violations. People learn from mistakes when in an environment to do so.
Look closely at the sanction statement in each policy and make sure it is motivating the correct behavior. These statements often say something like, “Failure to adhere to this policy can result in disciplinary action up to and including termination of employment and legal action.” Will that motivate people to come forward and admit mistakes? Or will it make the more cautious and secretive? Will it deter independent thinking? Think about it in your culture. Banking is different from retail sales. For example, in a policy on lost or stolen mobile devices, I prefer that it be clear that there will be no negative effects if the user reports the loss in a timely manner, the FIRST time it happens. Motivate users to come forward before significant damage is done without giving them the idea they can be careless.
The reality is that it's likely necessary to have an overarching termination sanction policy for legal purposes, but it might be worthwhile to also include language in individual documents that reinforce core ideas and spur desired actions.
Though it may go without saying, I find it beneficial to reiterate this regardless: Follow through.
If you read this far, you probably have all your visibility in place. Now act on it consistently and fairly. The recording of the barking dog may work for a while, but nothing shows your serious like taking someone aside and saying "we noticed you did..."
And no accountability program (or security program, for that matter) will succeed without support from the top. But support from the top only works if the rules are clear. The boundaries and limits of responsibilities must be clear. If you leave a gap, a breach could fall into it.
In our next blog, we talk about the final part of our new information security triad – defense-in-depth.