Setting Entry-Level IT Controls

Overview

Strong IT entry-level controls form a foundation for the IT control environment within a company, while weak entry-level controls increase the likelihood that controls will be weak throughout the organization.

Here are main entry-level control that should be pervasive across your company and what we look for first when starting IT security or PCI Compliance Audits.

1. Clear assignment of authority and responsibility over IT operations and adequate segregation of duties.

A poor defined IT organization structure can lead to confusion regarding responsibilities and causing IT support functions to be performed inefficiently or ineffectively, resulting in critical function being either neglected or performed redundantly.
The specifics of which duties should be segregated from others will vary by company; however, the general idea is that the responsibilities for initiating, authorizing, inputting, processing, and checking data should be segregated so that one person does not have the ability to create a fraudulent transaction, authorize it, and hide the evidence. In other words, you're attempting to prevent one person from being able to subvert a critical process.

Following are some basic general guidelines that can be considered

  • IT personnel should not perform data entry.
  • Programmers and those performing run/maintain support for systems should not directly be able to modify production code, data, or the job-scheduling structure.
  • Programmers and those performing run/maintain support for systems should be separate from those performing IT operations support
  • An IT security organization should be responsible for setting policies and monitoring for compliance with those policies.This IT security organization should have no operational responsibilities outside those related to IT security.

2. IT strategic planning process aligned with business strategies.

The IT organization must be aware of upcoming business needs and changes in the environment so that they can plan and react accordingly. It is important that IT priorities align with business priorities.

3. Technology and application strategies and roadmaps and evaluation processes for long-range technical planning.

IT is a rapidly changing environment, and it is important that IT organizations understand and plan for change. Otherwise, the company's IT environment runs the risk of becoming obsolete and/or not fully leveraging technology to benefit the company.
For purchased applications and technologies IT organization should understand when their versions of the products will cease to be supported and create plans for either upgrading or replacing the product.

4. Performance indicators for measuring IT department's performance of day-to-day activities. Performance tracking against service-level agreements.

If minimum standards of performance are not established and measured, it is difficult for the business to determine whether the IT organization's services are being performed at an acceptable level.

5. Process for approving and prioritizing new projects.

Without a structured process for approving and prioritizing new IT projects, IT resources probably will not be deployed efficiently.

6. Set of documented standards for governing the execution of IT projects and for ensuring the quality of products developed or acquired by the IT organization.

If standards are not in place and enforced in the IT environment, projects may be executed in an undisciplined fashion, quality issues will exist in developed or purchased products, and the IT environment will be unnecessarily diverse.

Documented standards should govern areas such as the following.

  • Project management
  • Software development
  • System configuration
  • Hardware and software
  • Quality assurance standards

7. IT security policies that provide adequate requirements for the security of the environment ( PCI Requirement 12.1 ).

IT security policy sets a baseline of expectations for employees of the company. If policies don't exist or provide adequate coverage, employees are forced to make up their own rules regarding security-related issues. The same concept extends to computer systems, which require a standard by which system security can be evaluated. If IT security policies are too lenient, they will not provide adequate protection of the company's information assets. If they are too strict, they either will be ignored or will place unnecessary overhead and costs on the business.
If the IT security policies aren't communicated to employees, they won't be followed. Additionally, if compliance with those policies is not monitored and enforced, employees will learn quickly that the policies can be ignored with no consequences, causing the policies to become "suggestions" rather than requirements.

At a minimum, the policies should include coverage of the following areas;

  • Acceptable usage of the company's information assets by employees (for example, whether employees can use their computers, the internet, and e-mail for personal reasons) ( PCI Requirement 12.3 )
  • Data classification, retention, and destruction
  • Remote connectivity (for example, overall network security and security requirements for virtual private network (VPN), dial-up, and other form of connection to external parties)
  • Passwords
  • Server security (such as security requirements for Unix and Windows servers)
  • Client security (such as security requirements for desktops and laptops)
  • Logical access (such as requirements for obtaining and granting access to systems)

Security policies should be periodically reviewed and updated to ensure that they keep up with the ever-changing IT environment.

8. Risk-assessment processes for the IT organization ( PCI Requirement 12.2 ).

Without the risk-assessment processes, the IT organization will be unaware of risks to the achievement of its objectives and therefore will not have the ability to make conscious decisions regarding whether to accept or mitigate those risks.

Risk-assessment mechanisms could include the following;

  • Monitoring internal controls in the IT environment, including internal audits and self-assessments
  • Performing formal threat and risk assessments of critical data centers and systems
  • Performing periodic reviews of the strategic IT plans and technical roadmaps and assessing risks to the achievement of those plans
  • Monitoring compliance with IT security policies and other relevant IT policies

9. Policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data's life cycle ( PCI Requirement 9.5 ).

A framework must be in place for making decisions as to what level of protection is necessary for any given data element (based on the criticality of the data). Without such a framework, there will be inconsistency in how data is protected, likely resulting in some data being underprotected or overprotected. If the life cycle of data is no defined, it will lead to data being retained longer than necessary or being destroyed prematurely.

10. Effective processes in place for complying with applicable laws and regulations that affect IT and maintaining awareness of changes in the regulatory environment.

Single point of contact needs to be responsible for monitoring the regulatory environment (such as PCI Compliance, HIPAA and Sarbanes-Oxley) and its impact on IT.

11. Ability for end-users of the IT environment to report problems and be involved in IT decisions.

Because the IT environment exists to support the company's employees in performing their jobs, it is critical that processes exist whereby those employees can provide input into the quality of service they are receiving. Otherwise, the IT organization may be misaligned with its users and not be aware of it.
To ensure that the help desk does not seek customer satisfaction at the expense of security, policies and processes need to be in-place for obtaining proper approvals prior to responding to user requests for having passwords reset and for obtaining system access.

12. Managing third-party services, ensuring that their roles and responsibilities are clearly defined and monitoring their performance.

Many companies outsource some or all of their IT support processes, including areas such as PC support, web server hosting, system support, programming, and so on. If those vendors are not managed appropriately, it can lead to poor service and unacceptable quality in the IT environment.

13. Process for controlling non-employee logical access.

Company policies (including IT security policies) need to be communicated to non-employees prior to granting system access. process needs to be in-place for removing logical access when they have ceased to work with the company or otherwise no longer need access.

14. Controls over remote access into the company's network.

Allowing remote access to a network basically results in that network being extended beyond its normal confines, bypassing normal perimeter controls such as firewalls. A lack of strong controls regarding this access can result in inappropriate access to the network and a compromised network.
User ID and strong password are required for remote access and that these initials are transmitted over secure (such as encrypted) communication channels. Approval processes needs to be in place for granting remote access including for non employees and removing when employee leaves the company.
Controls need to be in place for ensuring that unauthorized connections cannot be made to the network and/or for detecting them if they are.
Policies need to provide minimum security requirements that should be met by all machines accessing the network remotely. This should include requirements for operating system patch level and antivirus protection. Preventive or detective controls need to be in place to enforce those requirements.

15. Hiring and termination procedures need to be clear and comprehensive.

Termination procedures need to ensure that access to company systems and facilities is revoked immediately.

16. Asset management policies and procedures for controlling the procurement and movement of hardware.

Asset management is the controlling, tracking, and reporting of organizational assets to facilitate accounting for the assets..

Company's asset management policies and procedures need to encompass the following;

  • Asset procurement process
  • Asset tracking
  • Current inventory of all equipment
  • Asset move and disposal procedures

17. System configurations controlled with change management to avoid unnecessary system outages.

Configuration change management ensures that system changes are controlled and tracked to reduce the risk of system outages. It includes planning, scheduling, applying changes to systems for the purpose of reducing the risk of those changes to the environment.

Configuration management procedures need to include processes for the following;

  • Requesting changes
  • Determining the specifics of what should change
  • Prioritizing and approving proposed changes
  • Scheduling approved changes
  • Testing and approving changes prior to implementation
  • Communicating planned changes prior to implementation
  • Implementing changes
  • Rolling back (removing) changes that don't work as expected after implementation

18. Media transportation, storage, reuse, and disposal should be addressed adequately by company-wide policies and procedures ( PCI Requirement 9.8 ).

Media controls ensure that information stored on data-storage media remains confidential is protected from premature deterioration or destruction. One increasingly common type of security incident is the loss of backup media in transit by third-party carriers.

Media policies and procedures should address the following;

  • Requirements for sensitive information to be encrypted prior to transporting through a third-party carrier
  • Requirements for magnetic media to be digitally shredded or degaussed prior to reuse or disposal
  • Requirements for optical and paper media to be physically shredded prior to disposal
  • Requirements for users to be trained adequately on how to store and dispose of computer media, including jump drives
  • Requirements for computer media to be stored in a physically secure, temperature-controlled, and dry location to prevent damage to the media

  • 19. Capacity monitoring and planning policies and procedures

Anticipating and monitoring the capacity of data center facilities, computer systems and applications are critical parts of ensuring system availability. When companies neglect these controls, they often experience system outages and data loss.