Previous | Table of Contents | Next |
When customers are granted direct access to the organizations computer systems via the companys or a third partys data network, the usual credit checks and business viability verifications need to be performed. In addition, due diligence examinations to uncover any previous fraudulent customer activities should be conducted. The extent of such checks should be based on an evaluation of the magnitude of the assets at risk, the probability of recovering such assets if stolen, and an assessment of the probability that a customer would risk reputation and possible legal action if caught.
A standard security policy is that anyone who has not been screened should not be given system access. For example, frequent deliveries or pickups should be conducted in nonsensitive areas in all cases in which delivery personnel have not been screened. In addition, information regarding the location and nature of computer installations should be restricted whenever possible. Limiting the number of persons who know the systems location and function also limits the risk of unauthorized access.
Although it is not practical to provide the kind of stringent security necessary for sensitive military facilities, it is reasonable to encourage low profiles for computer facilities and data networks. Large signs indicating the company name or the nature of the facility should certainly be avoided in all cases. Inside buildings, the organization should avoid using signs indicating the location of the data center, or can instead use signs with nondescriptive language (e.g., facilities management). The slight inconvenience caused to authorized persons is more than compensated for by the barrier put before unwelcome visitors.
Another desirable, but not always practical, approach to avoiding unauthorized access is to limit the number of computer systems and potential points of access. This reduces the number of targets and simplifies the task of protecting them. Concentrating resources in this manner, however, can increase the magnitude of a potential loss if unauthorized access were to be obtained.
From a marketing perspective, it may be desirable to advertise easy customer access to services offered on organizations computer systems. However, the specific whereabouts of computer and network facilities should be restricted information.
Organizations have increasingly begun to distribute their computing facilities throughout the organization, sometimes situating the facilities externally, with other firms, or individuals outside the organization (e.g., customers and business partners). This distribution limits the amount of protection that a centralized IS function can provide to the organizations computer resources. In such a distributed environment, security measures must extend to terminals, workstations, and other remote devices that are connected to the organizations central facilities, because these remote facilities are often not within the direct physical control of the organization itself. Security measures should also be applied to the links among systems and devices not only to private and public networks, but also to network equipment and facilities.
The methods that should be used to control access to remote facilities and networks is an extension of those used for a central facility; however, the measures are more difficult to implement and manage. The difficulty of protecting physically isolated equipment is caused by the equipments remote location which, ironically, was intended originally to facilitate access to users.
The screening process is much more critical in a distributed environment because the number and variety of individuals with authorized access is generally much larger than for centralized systems. Not only are the users scattered around the organization, they may be employees of other firms, such as service providers and business partners, or private individuals, as with retail customers. Nevertheless, it is necessary to ensure that users who can gain authorized access to any device or network are rigorously screened. As with centralized facilities, the persons given access to remote and networked facilities should be restricted to essential uses only.
Obvious designations as to the existence and purpose of remote devices and network equipment should be avoided. Authorized users should be advised not to make any documentation available to or accessible by others with access to the physical area. In addition, they should not leave their terminals or workstations in an operating condition that would allow someone else to gain access easily.
Basically, system misuse can be avoided by restricting the activities of those who have gained or are allowed access to the system, network, or facilities. The fundamental premise of avoiding misuse is that, if the system, network, or facilities are difficult to access, some potential acts of misuse cannot occur. If the organization severely limits the number of people who can enter facilities or gain access to systems and networks and limits authorized users to necessary functions and features, they reduce the occurrences of misuse. This concept applies whether the systems are centrally located or widely dispersed. The data network exposure becomes more significant for dispersed systems.
The trend is toward much broader access to an organizations computer systems. Examples are students and staff having direct access to college computer systems, customers and suppliers connecting into companies systems, and private citizens accessing government data. Again, the organization might be able to be somewhat selective in determining who gets access privileges, but it would appear that such restrictions are becoming less viable. The real key to avoidance of misuse is the building of impenetrable firewalls between what is available to general users and those components of the system which, if misused, do not affect the underlying systems.
Limiting the availability and accessibility of software copies, information about related systems, and overlapping application programs restricts the end users environments to those processes in which end users have direct interest. Strict adherence to separation-of-duties policies and restricting applications by discrete functional areas also help organizations avoid the misuse of computer and network assets and facilities.
Previous | Table of Contents | Next |