In today’s environment, we have more access to virtually everything that is available in our lives. Access to more people and locations. More information and knowledge available. More Internet access to everything and everything.
With increased access comes a greater need for us as people to regulate our proprietary or private data, especially when it comes to the businesses for which we work. However, there is concern that the wrong individuals would gain access to just the right information or systems, causing severe problems for our businesses. However, there is no need to be concerned about losing control over who has access to these items if we prioritise access control in our overall Corporate Security Programs. Organizations may guarantee suitable methods for governing user access by reviewing their access control strategy.
An effective Access Control Program is required to secure your people, information, and assets by allowing your company to limit the risk of harm to your people, customers, and partners while also reducing the danger of your information or assets being accessed. An efficient Access Control Program assists an organisation in making a fair judgement that personnel are provided the required access needed to accomplish their jobs successfully without placing the company in jeopardy.
To help improve your organizational access control, consider the following tips:
- Create the specifications for an Access Control Program. A formal Access Control Program with a documented user registration and de-registration procedure for seeking, authorising, granting, amending, reviewing, or cancelling access should be developed. Access control rules should match your organization’s requirements for information authorization, access, distribution, and viewing. These principles should be backed up by written processes that specify responsibilities and allocate them to suitable roles. Make certain that your access control needs cover both logical and physical control methods, both of which should be based on the concept of least-privilege.
- Identify and record account types. Account types utilised by your company (e.g., normal user, privileged user, system, service, etc.) should be recognised and documented. Each user’s or group of users’ access control policies should be clearly described. Conditions for group or job membership should also be set. Users should have a clear awareness of the security standards that your organization’s access restrictions must meet.
- Ensure ongoing account management is in place. Unauthorized or inappropriate account access is likely to occur if ongoing maintenance is not in place for all accounts. Account management is not a “one-and-done” exercise but must be performed on a recurring basis to maintain effectiveness. Management approval should be required for all requests to create accounts. Accounts should be created, enabled, modified, monitored, disabled, and removed in accordance with an approved Access Control Policy. Supporting procedures should detail the steps required to meet the defined policy control requirements. Periodic internal account and access reviews or audits should be performed, at least annually, during which the privileges should be verified to validate that the need for currently assigned privileges still exists.
- Actions need to be associated with a unique, individual user. All users should be assigned a unique identifier (user ID) for their personal use only. Appropriate user authentication techniques should also be implemented to substantiate the claimed identity of any authorized user requesting access each time they log in to your organization’s networks, systems, or applications. Baseline controls should include settings for password or passphrase composition and complexity requirements.
- Set controls for accounts with privileged access. This is needed to reduce the likelihood of providing standard users with more access permissions than they require. Appropriate checks or validations for actions performed with privileged accounts should also be implemented to ensure authorized privileged account users are fulfilling their assigned roles in accordance with prescribed security control requirements. The principle of least privilege must be followed, authorizing only access that is necessary for each individual user to accomplish their assigned tasks in accordance with your organization’s mission or business functions.
- Implement and maintain secure logon processes. This verifies the identity of users and associates the user with the actions they perform. Secure logon processes may also help reduce the likelihood of password compromise that may lead to security incidents or data breaches. A limit of five (or less) consecutive invalid logon attempts by a user during a fifteen-minute period should be implemented. Accounts should be locked after this threshold of failed logon attempts is reached. It is encouraged to send failed logon alerts, along with other appropriate domain controller alerts, to personnel responsible for monitoring the networks of your organization.
- Provide for password management. This serves as one line of defense for protecting organizations, along with customer information they manage, from unauthorized access due to weak passwords. Password management systems should be interactive and should ensure only quality passwords are being used. Users should be required to follow best practices for the selection, use, and maintaining the confidentiality of passwords. It is recommended that your organization provides training on the selection, along with the safeguarding, of passwords.
- Implement controls to secure information systems when unattended. These controls should provide a layer of defense for organizations to decrease the risk of an unauthorized user gaining access to an authorized user’s system or the output from system devices. Your Access Control Policy should contain clean desk control requirements to ensure that papers or media that are not actively being used are kept in desk drawers or filing cabinets. Personnel should activate a screen lock when they leave their work area to reduce the opportunity for unauthorized personnel viewing potentially sensitive information displayed on a monitor or other peripheral device. Output devices, such as printers or faxes, should also be safeguarded to help prevent unauthorized individuals from obtaining the output from these devices.
- Provide for remote access management. Controls need to be implemented to protect remote access to networks, systems, and applications, thus minimizing the window of exposure organizations face regarding unauthorized access or potential intrusions associated with remote access activities. All remote access should be authorized prior to allowing remote connections to your organization’s network to occur.
- Manage and protect wireless access. Controls need to be implemented to manage how networks, systems, and applications are accessed using wireless technologies. Wireless access for users should be authorized prior to allowing wireless connections to be made. Wireless access to systems and applications should be protected using authentication of users or approved devices.
- Have defined controls to support the segregation of duties. Your organization should implement segregation of duties for conflicting functions, or areas of responsibility, to reduce the opportunities for the unauthorized or unintentional modification, fraud, or misuse of information and information systems. A system of dual controls (e.g., two individuals with separate responsibilities needing to work together to accomplish a single task) should be required and implemented whenever possible.
- Ensure effective controls are in place for mobile computing and working from home. Usage restrictions, configuration requirements, connection requirements, and implementation guidance should be established for all organization-controlled mobile devices. Full-device encryption or container-based encryption should be used to protect the confidentiality and integrity of information on mobile devices. Personnel should be required to report any lost or stolen mobile devices. Your organization should have the ability to wipe mobile devices remotely to remove all information if they are lost or stolen.
Organization should ensure that a comprehensive Access Control Program is developed and implemented consistently across the organization. Organizations that do not could potentially overlook a pivotal security function or leave a control unaddressed. By developing a comprehensive Access Control Program, supported by all organizational stakeholders, organizations can avoid key access control pitfalls for effective overall security. Ref
How Can ITM Help You?
IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.