- Users are a common threat to security. Protecting data against user error involves using good practices, practicing user least privileges and segregation of duties and having regular training on security practices.
Using good practices in the IT environment means implementing good policies. Sans has 27 different templates available for public use to get one started on basic IT security situations. They can be found at https://www.sans.org/security-resources/policies. A security policy needs to include data classification, risk assessment, controls to protect data, monitoring and testing of the controls, and a process to determine new vulnerabilities. These safeguards are technical, physical, and administrative all designed to protect the company’s data from within the company. Physical policies should be implemented as well to limit physical access to sensitive information and equipment. Physical activity logging and server activity logging and monitoring will help evaluate policy compliance and identify policy breaches. Other policy practices which should help reduce the risk of snooping employees include segregation of duties, least privilege, and log monitoring.
ITIL has 32 best practices when it comes to management of IT devices. The summary of the simplest best practice to implement are policy and procedures, planning , security policies, change management, and Disaster Recovery. ITIL’s major findings in their recent study shows only 89% of corporations implement IT policies. At the lowest on their findings are post-implementation audits of BYOD mobile devices.