Assess how a vendor enforces access controls within operating systems, applications, and databases, and how it ensures that these controls are working properly and are updated as employees change jobs or leave the company. Outsourcers can face turnover of 25% or more annually, so a client company might learn something by evaluating how this is done.
Access control can be complex and burdensome if it isn't set up to be flexible enough for inevitable business requirement changes. Systems that allow group permissions to assets can be invaluable--applying group permissions and assigning individuals to groups. Access control should be managed by a team that doesn't have direct access to the data or system.
Almost as important as these protections is the audit trail that proper logging provides. Centralized logging is part of PCI, in U.S. audits for the Sarbanes-Oxley and Gramm-Leach-Bliley acts, and in just about any information security strategy. The theory is that actions affecting sensitive data or systems should be logged, then stored in a secure, centralized location away from where the action happens.
When introducing centralized logging across countries, don't overlook time-zone management. Logs will appear out of order unless you set all systems to the same time zone, such as UTC. Some centralized logging software also can apply an offset as logs come in.
Depending on the environment and strategy, there are numerous acceptable ways to achieve these objectives, from off-the-shelf products for control, encryption, and logging requirements, to piecing together multiple solutions. Offshore firms will enforce most any control requested, as long as the client pays. The best value will come with those companies that have a high-quality base control system they apply as a standard.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
There are many network courses that can address your present job's priorities and help you gain the needed skills to keep pace with industry changes and new technologies.
