Combatting "Yes"

There are many stories of IT staff who were so eager to help someone that they gave an employee too much access, whitelisted a website containing malware, or any number of other activities that put their institution at risk. In many cases, the IT staff knew that what they were doing was wrong, but the employees they were supporting were insistent that their request was somehow vital to the institution, so IT caved. Most IT staff want to make people happy by being helpful, so they tend to say “Yes” quickly. But saying “Yes” to every request will result in an environment that is chaotic, expensive to support, and more predisposed to a breach.

Avoiding the risk of always saying “Yes” to IT requests requires that a financial institution have policies that set the proper boundaries on user requests and that these policies be enforced. Here are some suggestions for ensuring that policies provide the proper balance between productivity and security:

• Decide where the boundaries are: Policy should clearly set the boundary of which activities are not allowed without approval. In the case of providing user access, a policy might allow IT to provide access to some areas of a file server without further approval, but if the request is for areas that contain customer or HR data the request needs to be escalated to management. In the case of whitelisting a website, the policy might state that the site needs to be properly vetted by the security officer prior to granting the request. To avoid someone having software illegally installed, a policy may require all software to have a risk assessment performed prior to being approved and installed.

• Detect when boundaries are crossed: For each policy that sets a boundary, consider how someone going outside that boundary would be detected and build that detection into the policy. This may involve activities such as logging and reviewing administrator activities or running periodic scans to detect instances that are outside of the boundaries. Performing a periodic inventory of workstation software, for instance, will help detect when someone has gone outside of policy and installed unapproved software.

• Enforce compliance: Policy should include the consequences of crossing a boundary for both IT staff and other staff, and these consequences should be enforced. IT support staff need to know that there will be ramifications if they give a user local administrative access without permission to do so, but the employee demanding they be provided this access needs to also know that they will need to answer for their actions when this is detected. 

Following the above suggestions will empower IT staff to stop saying “Yes” to risky requests, and to instead say “That is outside of policy, so we need to take some extra steps before I can do that for you”.

We often help institutions find and set appropriate permissions and boundaries for their employees. And it can be extremely helpful for this to come from an outside unbiased source. If this is an area where you struggle we'd be happy to step in.