High risk users

Posted on 2011-10-05
Last Modified: 2012-05-12
We have been tasked with categorising users based on their work and the sensitivity of the data they access/process etc during their work. We ideally want to loosely put them into "high security/risk" - where more strigent windows user policies will be applied - to protect the data they process. And "low security/risk" - where potentially more lax policies can be deployed.

We have over 6000 users - any suggestions on where to start!!??!!

Also any views on how practical it is to group users based on the data they access/process?

And any risks in having more lax policies for users who access lesser sensitive data?

Question by:pma111
    LVL 2

    Accepted Solution


    I would start by defining which data is highly secure and which is not so much. Once you understand which data is the most sensitive, you can determine which users are accessing it.
    LVL 17

    Assisted Solution

    You should consider all your users high risk, and treat everybody with the same brush.  The ironic thing is that us Administrators are a higher risk than users, because we have access to do all sorts of things.  We had a policy at one of the places I worked where All users are restricted the same, and power users - like Developers or IT staff had a different set of restrictions, but they were still not administrators on their machines nor on the domain.  In order to do management, they RDP'd to servers and logged on with their own "administrative account" to do administration.  A bit of a PITA, but it worked.  Each time I wanted to install something on my machine, UAC prompted me, and I used my administrative credentials to do it.

    By having one security policy and applying it to everybody, people can't accuse you of being hypocritical, by having a different policy.  There can also be no favoritism cards played.
    LVL 3

    Author Comment

    Im struggling to get my head around (especially for user policies)

    what would constiture a lower security policy for low risk users and what would constitute a high risk policy for high risk users?

    When the main driver is to protect the data they access / process as part of their jobs?
    LVL 3

    Author Comment

    And if you could share any specific adminstrator "user" level policies in terms of best practice for data security that would be very interesting to hear.
    LVL 3

    Author Comment

    And categories.

    From I see it - there is

    a) access to data on shares
    b) access to data remotely via citrix/VPN
    c) taking data away - i.e. saving locally / emailing offsite/ taking via USB

    Any more data security elements?
    LVL 3

    Author Comment

    @aquatone - do you have any parameters for ranking data sensitivity?
    LVL 3

    Author Comment

    And removing applications from the issue - aside from shares & databases - where else could "sensitive data" reside?
    LVL 29

    Assisted Solution

    by:Randy Downs
    Maybe this will help. It's excerpts from a book.

    How does computer system security provide protection? There are four primary methods:

    System Access Controls.
    Ensuring that unauthorized users don't get into the system, and by encouraging (and sometimes forcing) authorized users to be security-conscious–for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges).

    The section "System Access: Logging Into Your System" introduces the basics of system access controls. Chapter 6, Inside the Orange Book, describes the Orange Book accountability requirements, which specify the system access controls defined for different levels of secure systems. In particular, see the section entitled "Accountability Requirements" in that chapter.

    Data Access Controls.
    Monitoring who can access what data, and for what purpose. Your system might support discretionary access controls; with these, you determine whether other people can read or change your data. Your system might also support mandatory access controls; with these, the system determines access rules based on the security levels of the people, the files, and the other objects in your system.

    "Data Access: Protecting Your Data" introduces the basics of data access controls. In Chapter 6, the section entitled "Security Policy Requirements" describes the Orange Book security policy requirements, which specify the data access controls defined for different levels of secure systems.

    System and Security Administration.
    Performing the offline procedures that make or break a secure system–by clearly delineating system administrator responsibilities, by training users appropriately, and by monitoring users to make sure that security policies are observed. This category also involves more global security management; for example, figuring out what security threats face your system and what it will cost to protect against them.

    Chapter 5, System Security Planning and Administration, introduces the basics of system security planning and administration. In Chapter 6, the section entitled "Assurance Requirements" describes the Orange Book system administration requirements defined for different levels of secure systems.

    System Design.
    Taking advantage of basic hardware and software security characteristics; for example, using a system architecture that's able to segment memory, thus isolating privileged processes from nonprivileged processes.

    Although a detailed discussion of secure system design is outside the province of this book, the section "System Architecture" in Chapter 6 describes briefly the major Orange Book design requirements for different levels of secure systems.
    LVL 2

    Expert Comment

    I would rank sensitive according to how many should know it.

    HR information, proprietary work-product, computer/network administrator-specific documentation, data in-process and not cleared for general release. The finalities depend on the type of business you are in.

    If I were writing software for a business the source code for the various software products would be considered sensitive. How compartmentalized is your organization's personnel/project division?

    LVL 2

    Assisted Solution

    You should also categorize your company sensitive information based on file types, for example office documents, database files, pdf documents or ... There are separate tools available for each file type.
    You may also take a look at available Right Management Services like:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now