User rights in Cybersecurity
In our field, users are often rightless — they have many personal duties (do not use torrents, do not bring personal music to corporate PCs, do not share a password), but very a few personal rights.
What about rights to have PC, printing and Internet services? They exist, but these are user rights in IT. Cybersecurity communicates with users on rare occasions, actually in 2 cases:
- a user came to work — to clarify his/her duties;
- a user did not fulfill his/her duties — he/she violated corporate rules, and an incident is opened (sounds like “an investigation case is opened”).
Inside security awareness process corporations regularly drum into users’ heads that he/she “must” comply with cyber rules, to inform about threats, incidents and breaches, and in some companies, users are deprived of a bonus and even dismissed for cybersecurity rules violation. Users take a dim view of cyber, and cyber is perceived as “Gestapo”, “punishing sword” and as “abuse”, since:
- Cybersecurity can find a problem for any user;
- Cybersecurity is not limited in its functions in monitoring and investigation into activities of users.
It’s clear that with such an approach, the level of trust of users to Cybersecurity is low, security awareness is far from efficiency, and Cybersecurity postion is often precarious, since business leaders take into account opinion of users of across their subdivisions.
The interesting solution may be the introduction of the User rights regarding monitoring and investigation with respect to users of the section, which could contain the following:
- possible reasons for monitoring and investigation into activities of the user;
- rules of coordination and registration of monitoring/investigation commencement with respect to certain user, as well as the time for monitoring;
- categories of high-risk users under enhanced monitoring (accountants, procurement managers, executives, etc.);
- logging warning about possibility of monitoring of all actions in user monitoring
- breaches classification by severity (mild, average and severe);
- list of breach consequences for cyber rules — more careful checks of access requests, extraordinary audit of access and user’s work station, escalation to the manager, extraordinary access certification, registration for monitoring for a certain period.
Small home Procedural Code with respect to users will help limiting the abuse increase the level of trust to Cybersecurity, as well as to pad the staff limit possible misuse of privileges by Cybersecurity personnel and to decrease motivation to register low-priority incidents with users.