Information Access Management
It is vital to manage who has access to which information held by your organisation. This means physically enabling and restricting access to various information, and also having the ability to monitor who is accessing or has accessed what information, and when.
The same applies whether your data is stored and / or replicated on a local or remote server or in the cloud.
- Employees accessing, changing, sharing or deleting sensitive files such as payroll or personnel records, or company confidential data.
- Employees accessing applications they are not authorised to use.
- Fraud, identity theft, sabotage, extortion, espionage.
Access control - authority
You should control who can access different files, folders and applications – either on an individual or group basis – by using Active Directory if you have Windows Server, or by similar methods in other operating systems. For example, everybody in the accounts department could have access to the purchase ledger, but only those with additional access privileges can see payroll details.Ensure that the following are observed:
- Frequently review who has access to information, and change privileges as necessary.
- Limit the number and scope of employees with ’administrator’ rights.
- Carefully consider how access rights should be allocated. For example, in larger organisations this can be done on the basis of an individual’s role rather than on a person-by-person basis.
- Consider granting user accounts only those privileges which are essential to that user's work. For example, a backup user does not need to install software but only to run backup and backup-related applications. Block any other privileges such as installing new software (known as ‘principle of least privilege’).
- Consider applying additional controls over users with special access privileges, such as closer monitoring.
- Each employee should have a unique user ID – logging in with username and authentication by a password. These should be treated like an office key or individual alarm code, and not shared or compromised in any way.
- In larger organisations, when a record is set up for a new employee, ensure that different people set up the employee record, payroll arrangements and IT access (known as ‘segregation of duties’)
- Make sure that all computers require a secure login and are all set to log out automatically if left unattended for more than a few minutes.
- Care should be taken as to which access rights are granted to employees when they join the organisation, or change roles / seniority.
- Delete users’ access privileges as soon as they have left the company.
Access control - authenticationOnce a user has identified themselves (by entering a username) that they are authorised to access particular files, folders or applications, they should be prompted to prove that they are who they say they are. There are three basic methods of proving identity:
- Something they have such as a smartcard, key or electronic token – or a unique random encryption key.
- Something they know, such as a password, PIN or mother’s maiden name.
- Something they are, such as a biometric (fingerprint or iris) scan.
Using one of these factors, typically a password, provides a reasonable level of confidence in somebody’s identity. Using two or three factor authentication is more secure because it makes impersonation more difficult.
For passwords, it is vital to ensure that the following are observed:
- Ensure that employees use strong passwords. Set up the system to accept only strong passwords and to lock out multiple attempts using the incorrect password.
- Educate users about the importance of passwords and the risks of social engineering.
- Change default passwords.
- Enforce password change at regular, pre-determined intervals.
- When you dispose of redundant equipment, ensure that it is securely cleared of passwords as well as other confidential information.