20 for 2020: No one will draw the lines in the sand for you

(Controlled Use of Administrative Privileges)

Originally from David’s Linkedin:

Chapter 4 on Tetra Defense’s 20 for 2020 information security series is on the Controlled Use of Administrative Privileges: “No one is going to draw the lines in the sand for you”.
Should human resources have access to the personal data of your clients? Should sales staff have access to records of each employee? Obviously not. But there’s nothing inherent in your network that makes this so.
You need to draw lines in the sand around the systems & data that you want each employee to have access to based on their role. Besides the obvious business reasons, it’s critical that you do this because when a hacker gets into your network, they do so via one of your users’ (i.e. employees’) network identities. And whatever that user has access to, the hacker now has access to.
Information security relies on you thinking the way a potential hacker might think, and limiting the scope of their attack before they launch it.

Check out the rest of the 20 for 2020 video series: