Essential System Management Policies for Enhanced Security

Introduction to System Management Policies

In addition to establishing policies for users, it is crucial to have well-defined policies for system administrators. These policies should cover procedures for adding and removing users, addressing security issues, and modifying any systems. Moreover, procedures should be in place to handle any unusual deviations. This article delves into the essential system management policies that every organization should implement to ensure robust security and smooth operations.

Policies for New Hires

When a new employee is hired, the system management policy should outline specific steps to protect company security. New employees should be granted access to the resources and applications required for their roles. This access should be documented and recorded. Additionally, it is important for each new employee to receive a copy of the company’s computer security acceptable use policies and sign a document acknowledging receipt.

Before a new employee starts, the IT department, particularly network management, must receive a written request from the business unit where the person will work. This request should specify the exact resources the user will need and the start date. Subsequently, the person responsible for network management or network security should approve and sign the request.

Policies for Employee Termination

When an employee leaves the company, it is crucial to ensure that all their access is terminated and all logins to systems are immediately disabled. Unfortunately, this is a security issue that many organizations do not pay enough attention to. It is mandatory to close all access of the former employee on their last working day. This applies not only to systems but also to physical access to the building. If a former employee has keys or access cards and is disgruntled, nothing can prevent them from returning to vandalize the workplace.

When an employee leaves the company, the following procedures must be carried out on their last working day:

All login accounts to any servers, VPN, network, or other resources are disabled.
All keys to the facility/building/organization are returned.
All accounts such as email, internet access, wireless internet, cell phones are closed.
All accounts related to host resources are canceled.
The employee’s workstation hard drive is copied and set aside.

The last item might seem unusual. However, if a former employee is collecting data (private company data) or engaging in any other inappropriate activity, you need to know. This is an important control in critical institutions like banking. If you see any evidence of such activity, you need to secure this workstation and keep it as evidence for any legal or criminal proceedings.

All of this might seem a bit excessive to some people. It is true that you will not worry about the vast majority of people leaving the job. However, if you do not make it a habit to follow these procedures when an employee leaves, you may eventually encounter an unfortunate situation.

Change Management Policies

Information technologies are inherently changing and evolving systems. Not only do end-users come and go, but requirements also change frequently. Business units request access to different resources, server administrators upgrade software and hardware, application developers load new software, and developers change the website. Change is always happening. Therefore, it is important to have a change control process. This process not only ensures that the change is made smoothly but also allows IT security personnel to review the change for potential security issues before it is implemented.

A change control request should go through the following steps:

An appropriate manager within the business unit signs the request, indicating approval.
The relevant IT unit verifies that they can fulfill one of the requests.
The IT security unit verifies whether this change will cause any security issues.
The appropriate IT unit creates a plan to implement the change and a plan to roll back the change in case of failure.
The date and time of the change are planned and communicated to all relevant parties.

Your change control process does not necessarily have to have these headings. These headings generally indicate the work to be done. In fact, your organization may have a much more specific policy. However, the situation to remember is that to keep your network secure, you should review the effects of changes before implementing them and indicate that you cannot make a change without following a procedure.

For further reading on system management policies, you can refer to authoritative sources such as NIST.