“Knowledge is fast becoming the sole factor of productivity,
sidelining both capital and labor.”
Management Challenges for the 21st Century (1999) – Peter Drucker.
Most organizations still look at information security from the perspective of ensuring that unauthorized people can’t access your network. This narrow view of information security can leave organizations with a false sense of protection. RES Software believes organizations need an additional approach to fully secure and protect data.
The IT-Store, as a combination of RES Automation Manager and RES Workspace Manager, provide both end-user and administrator with a service-driven, user-centric and asset-centric approach to Information Security to support the controls specified in ISO27002 and provide tooling to help you safeguard your IT landscape.
First … the dry bit
The primary goal of Information Security, as defined by the International Organization for Standardization (ISO) in ISO27000, is to preserve the Confidentiality, Integrity and Availability of information. Information, defined as “data endowed with meaning and purpose” and having become an indispensable component of conducting business for virtually all organizations.
For any IT department, it is important to ensure safe access to that information.
- Confidentiality: Is the information solely accessible by persons or processes that should be authorized to view, use and/or change it?
- Integrity: Is the information we have accurate, current and consistent throughout our entire IT landscape?
- Availability: Is the information we have available, accessible and readable to those authorized to use it?
To this end, the ISO has published the ISO27002:2013 standard containing 14 chapters (ISO27002:2005: 11) with a total of 114 controls (ISO27002:2005: 133) intended to address the specific requirements identified in risk assessment.
These controls provide means to comply with certification on the ISO27001 standard.
… but InfoSec is more than just the human factor
Taking into account “persons or processes”, “current and consistent”, “our entire IT landscape” and “accessible and readable”, for an IT department limiting their view of security to access by the right person is insufficient. Device, location and even time of day may well be additional desired factors determining whether or not access to information is granted. Having multiple devices to connect to your IT landscape, working around the globe, 24/7 and collaborating with multiple nationalities and languages, Information Security remains a challenge.
By means of configuring items such as: Locations and Devices, Access Control, Authorized Files and Network Connections, RES Workspace Manager can contribute to meeting the requirements for certification. How? Here’s an example:
ISO27002 – Control 11.6.1 – “Information access restriction”
One of the three basic principles of Information Security is Confidentiality. What is a user authorized to access and what not? Access to confidential information is to be restricted to authorized individuals who require access to the information as part of their job responsibilities. Access control in applications managed by RES Workspace Manager starts with the definition of user roles and corresponding authorizations or privileges based on business requirements. Once the roles and required authorizations are clear, they should be implemented on the managed applications. Authorizing managed applications is your first step in compliance to control 11.6.1 “Information access restriction”
But what if …?
… a user exploits one of their managed applications they are authorized to, to start executables or programs they are not authorized to? At Security > Applications > Managed Applications, you can prevent unauthorized executables from being used in the user workspace. This prevents potentially harmful executables from causing damage. With Managed Application Security, you can:
- Prevent users from starting unauthorized executables, even for applications are installed on their local desktops.
- Prevent users from running executables that they received through e-mail or Internet. This prevents potentially dangerous executables containing viruses, spyware and malware from contaminating the corporate network.
- Prevent users from using advanced commands in the command box.
Setting the Managed Applications Security to Learning can tell us a lot about which user is using what process to access what file. The Log tab will create an event for each instance with information such as: Date/Time stamp of access, computername from which access was gained and what operation is performed on the file.
Setting the Managed Applications Security to Learning mode can tell us a lot about which user is using what process to access what file. Please note that Learning mode does NOT block access to executables.
- Disabled disables Applications Security and any related security rule or configuration.
- Learning applies all rules and configurations, security events will be logged but the executables will not be blocked.
- Enabled prevents any unauthorized file, folder or executable from being accessed.
On the Log tab, an event will be created for each occurrence with information such as: Date/Time stamp of access, computername from which access was gained and what operation is performed on the file. By means of simply right-clicking the log entry, you are enabled to authorize the file for the corresponding process. Using the Access Control and Workspace control tabs allows you to further specify the conditions for authorization based on identity, location, device or workspace.