Zero trust is a key framework in which security teams can reconcile the very complicated threat landscape and mobile workforce to protect remote and in-office users. By adopting a zero trust approach, security departments assume that all content – regardless of whether it originates from a trusted source – is untrustworthy.
Creating a zero trust framework requires implementing controls and technologies across the IT estate – networks, endpoints, etc. An exciting new approach calls for introducing secure access service edge (SASE) architecture into an organization. Others focus on segmenting key elements such as applications and the corporate network. What all these key zero trust policies aim to do is to enable remote working.
With remote working becoming more ubiquitous, organizations need to think of neoteric approaches to bolster their security controls. Here, organizations should make sure current employees and contractors recognize and abide by information security duties. After all, most primed security teams recognize the importance of defining roles and access controls ('personnel security') as effective zero trust policies. Why? By operationalizing roles and pairing them to a policy, organizations provide themselves with more safeguards and zero trust.
So here are five personnel security policies to adopt a zero trust framework for your organization:
-
Least Privilege
Least privilege is all about restricting employee access to only the data they need to do their job — and nothing more. Digital access is one such area in which a security team places due consideration on access to programs, networks and accounts. Moreover, due care is placed on physical access, including computers, peripherals, etc. All users have equal threat status if all of their access is the same. -
Have a Dual Operator Policy
For many duties, it is possible to have responsibilities split between two people. Introducing a policy that incentivizes dual-operating will result in employees authorizing each others' work. Each person can then detect incorrect or unauthorized procedures. -
Divide Duties
No user should have enough privileges to misuse the system on their own. For example, the person producing a paycheck for a colleague should not also be the one who pays them. In which case, the employee can breach security policy and obscure any financial trials that would reveal the breach -
Limit Depending on Key Employees
Certain employees will be more vital from an operational point of view. This can be risky. To help mitigate this security risk, there should be concrete strategies in place for when such employees are absent. -
Make Vacations Compulsory
By forcing employees to take at least one week of consecutive vacation, an organization can audit an employee's work and possibly discover fraudulent behavior or embezzlement. This is particularly important when hybrid working has become the norm and supervision is more complicated.