• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

High risk users

We have been tasked with categorising users based on their work and the sensitivity of the data they access/process etc during their work. We ideally want to loosely put them into "high security/risk" - where more strigent windows user policies will be applied - to protect the data they process. And "low security/risk" - where potentially more lax policies can be deployed.

We have over 6000 users - any suggestions on where to start!!??!!

Also any views on how practical it is to group users based on the data they access/process?

And any risks in having more lax policies for users who access lesser sensitive data?

4 Solutions

I would start by defining which data is highly secure and which is not so much. Once you understand which data is the most sensitive, you can determine which users are accessing it.
You should consider all your users high risk, and treat everybody with the same brush.  The ironic thing is that us Administrators are a higher risk than users, because we have access to do all sorts of things.  We had a policy at one of the places I worked where All users are restricted the same, and power users - like Developers or IT staff had a different set of restrictions, but they were still not administrators on their machines nor on the domain.  In order to do management, they RDP'd to servers and logged on with their own "administrative account" to do administration.  A bit of a PITA, but it worked.  Each time I wanted to install something on my machine, UAC prompted me, and I used my administrative credentials to do it.

By having one security policy and applying it to everybody, people can't accuse you of being hypocritical, by having a different policy.  There can also be no favoritism cards played.
pma111Author Commented:
Im struggling to get my head around (especially for user policies)

what would constiture a lower security policy for low risk users and what would constitute a high risk policy for high risk users?

When the main driver is to protect the data they access / process as part of their jobs?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

pma111Author Commented:
And if you could share any specific adminstrator "user" level policies in terms of best practice for data security that would be very interesting to hear.
pma111Author Commented:
And categories.

From I see it - there is

a) access to data on shares
b) access to data remotely via citrix/VPN
c) taking data away - i.e. saving locally / emailing offsite/ taking via USB

Any more data security elements?
pma111Author Commented:
@aquatone - do you have any parameters for ranking data sensitivity?
pma111Author Commented:
And removing applications from the issue - aside from shares & databases - where else could "sensitive data" reside?
Randy DownsOWNERCommented:
Maybe this will help. It's excerpts from a book.

How does computer system security provide protection? There are four primary methods:

System Access Controls.
Ensuring that unauthorized users don't get into the system, and by encouraging (and sometimes forcing) authorized users to be security-conscious–for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges).

The section "System Access: Logging Into Your System" introduces the basics of system access controls. Chapter 6, Inside the Orange Book, describes the Orange Book accountability requirements, which specify the system access controls defined for different levels of secure systems. In particular, see the section entitled "Accountability Requirements" in that chapter.

Data Access Controls.
Monitoring who can access what data, and for what purpose. Your system might support discretionary access controls; with these, you determine whether other people can read or change your data. Your system might also support mandatory access controls; with these, the system determines access rules based on the security levels of the people, the files, and the other objects in your system.

"Data Access: Protecting Your Data" introduces the basics of data access controls. In Chapter 6, the section entitled "Security Policy Requirements" describes the Orange Book security policy requirements, which specify the data access controls defined for different levels of secure systems.

System and Security Administration.
Performing the offline procedures that make or break a secure system–by clearly delineating system administrator responsibilities, by training users appropriately, and by monitoring users to make sure that security policies are observed. This category also involves more global security management; for example, figuring out what security threats face your system and what it will cost to protect against them.

Chapter 5, System Security Planning and Administration, introduces the basics of system security planning and administration. In Chapter 6, the section entitled "Assurance Requirements" describes the Orange Book system administration requirements defined for different levels of secure systems.

System Design.
Taking advantage of basic hardware and software security characteristics; for example, using a system architecture that's able to segment memory, thus isolating privileged processes from nonprivileged processes.

Although a detailed discussion of secure system design is outside the province of this book, the section "System Architecture" in Chapter 6 describes briefly the major Orange Book design requirements for different levels of secure systems.
I would rank sensitive according to how many should know it.

HR information, proprietary work-product, computer/network administrator-specific documentation, data in-process and not cleared for general release. The finalities depend on the type of business you are in.

If I were writing software for a business the source code for the various software products would be considered sensitive. How compartmentalized is your organization's personnel/project division?

You should also categorize your company sensitive information based on file types, for example office documents, database files, pdf documents or ... There are separate tools available for each file type.
You may also take a look at available Right Management Services like:


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now