High Risk Users – Help?Information Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Tagged: ,

This topic contains 3 replies, has 2 voices, and was last updated by  Chin_Diesel 3 years, 9 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #79881

    Antifuse
    Participant

    I monitor my email traffic for users sending sensitive data (PII and any other data sensitive to our org) unsecured. I have rules set up in O365 to encrypt this data as it leaves the network so long as the use the methods I outlined for them. However, even after I got all the managers on board and everyone knows the process, there are still users that seem to just not “give a f***”. I send out block notifications when I detect this sensitive data and block it. I ask the users to review policy and sign a document I created and return it to me showing they understand. I also include their managers on these messages. Even with the manager on my side I am not getting much response from these individuals and I am wondering what my next step should be? Can Compliance do anything to add “teeth” to these notices? Should I notify the user and their manager that I track them more closely because they are a high risk user? Should I shut off access to their machines until they take a required training that I am developing?

    Any thoughts or help in this would be very helpful!

    Thank you!

    #79922

    Chin_Diesel
    Moderator

    Kill their access. If there are no consequences, then users will continue to do the same dumb crap they normally do. It sounds like you have management support, so I’d revoke their ability to circumvent security measures. If you lack a policy, or your policy needs improvement, I’d get your actionable offenses documented, so when you get those users that want to try and bitch and say it wasn’t in the policy, you have documentation to back up what you do.

    You’re just doing your job, and ensuring the security of PII and other sensitive information. If they want to complain about it, then they can tell their complaints to a security officer as to why they feel the need to send out sensitive data without protecting it.

    #79972

    Antifuse
    Participant

    Thank you creno13! I took this path to start removing access, but I consulted Compliance and Governance first. They agreed with my decisions, but also sent me over to HR. Now HR and I are working on a solution to enforce the rules with a sort of “3-strikes you’re out” method. I’m hoping I will see improvements regarding this going forward. On top of that I worked with my company “Training Director/Master Trainer” and developed a “Cyber Awareness” program that we will implement first quarter 2017. Excited to see where it takes us as far as risk and reporting then!

    #80323

    Chin_Diesel
    Moderator

    Glad you’ve got some decent managerial buy-in. When users and management don’t take security seriously, it makes you wonder why you even bother to try, and it sounds like the controls youre trying to enforce aren’t that much of a nuisance to not use.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel