II.C.7 User Security Controls
Management should mitigate the risks posed by users by doing the following:
- Establishing and administering security screening in IT hiring practices.
- Establishing and administering a user access program for physical and logical access.
- Employing segregation of duties.
- Obtaining agreements covering confidentiality, nondisclosure, and authorized use.
- Providing training to support awareness and policy compliance.
Users should be granted access to systems, applications, and databases based on their job responsibilities. Access rights should be granted in accordance with the institution's physical and logical access control policies. Authorized users with elevated or administrator privileges can pose a potential threat to systems and data. Employees, contractors, or third-party service providers can exploit their legitimate computer access for unauthorized purposes. Additionally, the degree of internal access granted to some users increases the risk of damage or loss of information and systems. Risk exposures from internal users include the following:
- Alteration of data.
- Deletion of production and backup data.
- Misdirected data.
- Disruption of systems.
- Destruction of systems.
- Misuse of systems for personal gain or to damage the institution.
- Appropriation of strategic or customer data for espionage or fraud schemes.
- Extortion for stolen data.
- Misuse of data following the termination or change in job responsibility of an employee.
Management should understand the risks to the institution's information-processing environment and establish appropriate user access controls to mitigate these and other potential risks to the institution's assets. Users should understand and confirm their understanding of their roles and responsibilities in maintaining a sound security environment, which includes both physical and logical areas.
II.C.6 Mitigating Interconnectivity Risk
II.C.7(a) Security Screening in Hiring Practices