Page284

Non-disclosure Agreement (NDA)

A non-disclosure agreement (NDA) is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of that sensitive information. Job candidates, consultants, or contractors often sign non-disclosure agreements before they are hired. Non-disclosure agreements are largely a directive control.

Note

Though non-disclosure agreements are commonly now part of the employee orientation process, it is vitally important that all departments within an organization appreciate the need for non-disclosure agreements. This is especially important for organizations where it is commonplace for individual departments to engage with outside consultants and contractors.

Background Checks

Background checks (also known as background investigations or pre-employment screening) are an additional administrative control commonly employed by many organizations. The majority of background investigations are performed as part of a pre-employment screening process. Some organizations perform cursory background investigations that include a criminal record check. Others perform more in-depth checks, such as verifying employment history, obtaining credit reports, and in some cases requiring the submission of a drug screening.

The sensitivity of the position being filled or data to which the individual will have access strongly determines the degree to which this information is scrutinized and the depth to which the investigation will report. The overt purpose of these pre-employment background investigations is to ensure that persons who will be employed have not exhibited behaviors that might suggest they cannot be trusted with the responsibilities of the position. Ongoing, or postemployment, investigations seek to determine whether the individual continues to be worthy of the trust required of their position. Background checks performed in advance of employment serve as a preventive control while ongoing repeat background checks constitute a detective control and possibly a deterrent.

Privileged Account Management

Though many organizations have laudably reduced the number of users with access to highly privileged accounts, there will necessarily be a need for at least some privileged accounts to exist. While all users can, and will, be targeted by adversaries, because of their heightened access privileged accounts represent an even higher value to adversaries. Given their inherently greater access coupled with higher value to the adversary, extra precautions and mitigations are warranted for privileged accounts.

While ubiquitous MFA would be preferable, at the very least, organizations should require MFA for privileged accounts. Given their substantial access, MFA is warranted. However, more privileged accounts very often have need for remote access, which even further exposes these accounts to adversaries.

In addition to requiring MFA, another common practice for privileged account management involves provisioning multiple user accounts to those individuals that wield an account with greater access. Besides their privileged user account, these individuals will also be provisioned with a less capable standard user account that is intended for routine activities that don’t warrant higher privileges. These less capable accounts should also be employed for any usage patterns commonly abused by adversaries, most notably web browsing and email. These activities do not require higher privileges and are very commonly abused by adversaries.

To limit the productivity impact associated with using multiple accounts, organizations employ systems that allow the use of distinct credentials without having to completely log out and login again.

Privilege Monitoring

The business needs of organizations require that some individuals have privileged access to critical systems, or systems that contain sensitive data. These individuals’ heightened privileges require both greater scrutiny and more thoughtful controls in order to ensure that confidentiality, integrity, and availability remain intact. Some of the job functions that warrant greater scrutiny include: account creation/modification/deletion, system reboots, data backup, data restoration, source code access, audit log access, and security configuration capabilities.