Ensuring Traceability in IT
Accountability in IT requires traceability. How do you ensure that all actions are traceable to the appropriate individual?
• Create unique identifiers for each user.
Create a unique user ID for each person. This identifier may be an employee ID or alphanumeric combination unique to each person. Don’t give employees an ID based on a first initial and last name, since a new employee may end up with a similar ID to an old one or more than one person may share the same initial-last name combination. This is a problem when you run a report to track the activities of agarcia and get results for Angela Garcia and Armin Garcia.
• Have unique identifiers for each administrator.
This may be the same identifier as the administrator’s user account or a separate admin account for each administrator. Whatever the solution, it shouldn’t be a general “admin” account to which a limited group has the password and any of whom could log in as the admin. A good IT policy is to have a separate administrative account for each system admin that is separate from their general user account. This forces system admins to log out as normal users and log in as administrators to access administrative functions. Then they cannot accidentally utilize administrative functions like deleting records. You also lessen the odds of someone walking up to an unattended computer and accessing an administrator’s session, since the admin will be logged in as a restricted general user at least part of the time.
• Require employees to log off at the end of each day.
When users must log off each day, their computers are harder to hack by someone accessing the network or walking up to an unattended computer at the end of the day.
• Force employees off the computer after a specified period of inactivity.
Otherwise, someone could walk up and perform actions as if they were the employee. Logging employees off after two or three hours also avoids unattended or rarely used machines from remaining connected to the network with that person’s ID. If someone logs into a machine and then walks over to another one to work later that afternoon, forced exits ensure that only one machine is tracking the user’s activities instead of the next person to walk over to the unattended computer.
• Give contractors and guests their own accounts so that they, too, are tracked.
You lose traceability if every contractor logs in as “guest” or “visitor”.
• When you use LDAP and SSO, use that system to log people out after a period of inactivity and when they log onto a different computer with the same credentials.
Simplified sign-on applications allow many users to directly access applications based on computer login credentials. This saves time and reduces repetitive user credential entry. However, it means anyone approaching that computer someone else has logged into can access applications as that user. And activities in those applications are tied to the original user’s login credentials, even if they have moved on to another machine. Timing out simplified sign on sessions and LDAP access forces users to re-enter their credentials periodically, but it also avoids problems with someone accessing applications as another user by default.
• Forbid employees from saving their passwords in browsers and forms.
When users save their passwords digitally, they allow others to log in as them as long as the other person can access those saved passwords in the person’s profile. And some people can gain access to the forms and saved passwords to log in as that person on another machine.