Tactical Issue: How to handle Executive Assistants and #infosec

Problem Statement: How have you seen companies handle executive assistant's access to C-level and VP accounts? Our executives heavily rely on their admins but don't realize the risk when we go to single sign on.

How does this apply to you?

As organizations grow and expand there is a sensitivity of access to data, and especially if businesses are in an M&A mode, there is much higher sensitivity at the executive level. Data protection and limitaiton of access is dependent upon the specific instance.

If an organization, such as the question above, allows (and most do) admins / executive assistants to access senior leadership files then what do you do?

  1. Trust explicity, same credentials and access as the executives they represent
  2. Trust per instance, same credentials but institute specific 'special handling protocols' for items that are too sensitive
  3. No trust.. this is unlikely to succeed unless there are no admins, given the sneaker-net still works beyond many other cultural and personnel inherent issues at large here

Solution Concepts:

there are many ways to approach this problem statement, but a few responses to each of the above (I'll reference each bullet number above for simplicity)

  1. Admins/executive assistants go through the same background security vetting as their assigned executives, and the systems themselves have escalated monitoring. Essentially deep background checks, ongoing personnel monitoring, and better system security for the end-user devices.
  2. By far the easiest – special handling protocols for executives would be the initiation of secure platforms, encrypted containers, electronic document handling authenticated to specific systems, even project code names, etc ..
  3. These do happen, but definitely require the culture to accept the extreme firewalling (socially) of discussions and work. Not appropriate for many organizations today.

Final Thoughts:

I spend most of my time designing, implementing, and operating global security programs for businesses… so this tactical question was fun to receive. Working in the details is where life happens, and is proof point for many innovations. Smashing together technology, process, and people is an art .. a journey .. and always unique.

Hope this helps.

James

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s