data security, regulatory and privacy management

Compliance, Security, Data Masking, New York, Connecticut, New Jersey, Massachusetts, Rhode Island

GRT provides expert IT Risk Management, Data Security, Data Privacy, Data Masking and Regulatory Compliance consulting services to companies in the United States and arround the world.

data security, regulatory and privacy management

business intelligence, operational, analytic and business reporting

Business Intelligence, New York, Connecticut, New Jersey, Massachusetts, Rhode Island

GRT assists you in development, design and implementation of a data warehouse and business intelligence strategy that ensures common framework across the enterprise.

business intelligence, operational, analytic and business reporting

Information strategy, gap analysis, tactics, design and implementation

Data Warehouse and Business Intelligence Staffing Solutions, New York, Connecticut, New Jersey,  Massachusetts, Rhode Island

GRT is a leader among expert staffing solutions in IT functions associated with Data Security, Business Intelligences and Data Warehouse. We help you meet your information management consulting and staffing needs.

Information strategy, gap analysis, tactics, design and implementation

Balance Between Top Security and User Access

If anything, recent attacks have shown that there is no single solution to the complex challenge of being protected against insider threats within an enterprise. However, one major defense against such issues is putting in place prudent policies, with strict limits, about who can access what type of information, in tandem with boosting awareness of security issues throughout an organization.

The first step to doing this, writes Kenneth Corbin for CIO magazine, is for organizations to broaden their understanding of what constitutes an insider threat. In modern times, access to information can extend far beyond the traditional concepts of employee, with the information spreading far and wide beyond a headquarters’, or office's, four walls.

Insider threats in modern business include contractors, vendors – even volunteers – anyone that has worked around your company data can potentially be an information leak. This extension of the company, beyond the physical business space nullifies, to a large extent, traditional security measures like firewalls and standard intrusion detection.

This is what makes it so difficult to develop an appropriate framework for access and permissions that strikes a balance between security protocols and an increasingly fluid workplace. More employees than ever are working remotely and on a variety of devices. This fact alone portends the need for a much more carefully considered and nuanced approach to where various types of data and applications are housed – and the access that is provided to those that need it.

In many cases, it is not even the traditional insider threat, the disgruntled employee deliberately sabotaging, that springs to mind. For example, one government leak was in no part the intention of the leaker but rather an issue that arose due to the lack of firm policy and training. Taking a USB stick containing data outside the premises and – without thinking properly – uploaded it to an unsecured server where it remained for over two years. In this case, proper training and protocol would have easily prevented the potentially serious exposure.

Fairfax County –where the leak happened– now imposes a tough policy on data users with heavy sanctions for those that break the rules. After an initial training program for a first offense, the penalties increase sharply with the third offense being grounds for termination. Beyond the data access restrictions, the onus has been put back on the data-owners. IT are now merely stewards, with the owner truly responsible for that data. With the risk on the owner, requests by IT for more access are often of a much more cautious nature, operating on a need-to-know basis.

The main message from such an IT policy is that, security is not just an IT issue, and it's not just a CISO issue. It's everyone's business. Security must, and needs to, be embedded into the overall DNA of your organization.