We use cookies on the site to improve our service. By clicking any link you are giving consent for use of cookies. Click here for more information

Information Access Management

Managing who has access to which information is vital in any business. The ability to restrict access of certain people to certain information maintains confidentiality, but equally important is the need to be able to monitor who accessed what information … and when. 

Whether your data is stored on a local or remote server or in the cloud, the same rules apply. 

The Risks

  • Employees accessing, changing, sharing or deleting sensitive files such as payroll or personnel records, or company confidential data.
  • Employees accessing applications they are not authorised to use.
  • Sabotage, extortion, espionage or information theft.
  • A hacker with insider access being able to see restricted files.

Access Control - Authority

Control who can access different files, folders and applications, either on an individual or group basis, by using Active Directory if you have Windows Server – or by similar methods in other operating systems. For example, everybody in the accounts department could have access to the purchase ledger, but only a small number with certain access privileges can see payroll details. 

Ensure that the following are observed:

  • Frequently review who has access to information, and change privileges as necessary.
  • Limit the number and scope of employees with administrator rights.
  • Carefully consider how access rights should be allocated. For example, in larger organisations this can be done on the basis of an individual’s role rather than on a person-by-person basis. 
  • Consider granting user accounts only those privileges which are essential to that user's work. For example, a backup user does not need to install software but only to run backup and backup-related applications. Block any other privileges such as installing new software (known as principle of least privilege).
  • Consider applying additional controls over users with special access privileges, such as closer monitoring.
  • Each employee should have a unique user ID – with authority typically being indicated by a username and authentication by a password. These should be treated like an office key and not shared or compromised in any way.
  • In larger organisations, when a record is set up for a new employee, ensure that different people set up the employee record, payroll arrangements and IT access (known as segregation of duties)
  • Make sure that all computers require a secure login and are all set to log out automatically if left unattended for more than a few minutes.
  • Care should be taken as to which access rights are granted to employees when they join the organisation, or change roles / seniority.
  • Delete users’ access privileges as soon as they have left the company.

Access Control - Authentication

Once a user has identified themselves (by entering a username) that they are authorised to access particular files, folders or applications, they should be prompted to prove that they are who they say they are. There are three basic methods of proving identity:

  • Something they have such as a credit card, a key or an electronic token or unique encryption key.
  • Something they know, such as a password, PIN or mother’s maiden name.
  • Something they are, such as a fingerprint or iris scan.

Using one of these factors, typically a password, provides a reasonable level of confidence in somebody’s identity. Using two or three factors is more secure because it makes impersonation more difficult.

For passwords, it is vital to ensure that the following are observed:

  • Ensure that employees use strong passwords. Set up the system to accept only strong passwords and to lock out multiple attempts using the incorrect password.
  • Educate users about the importance of passwords and the risks of social engineering.
  • Change default passwords.
  • When you dispose of redundant equipment, ensure that it is securely cleared of passwords as well as other confidential information.

Consider using smart cards or fingerprint (or other biometric) recognition as well as passwords for authentication.

 

See also...

 

Data Loss Prevention
Your data is one of your most important assets. Keep it safe.

Remote and Mobile Working
Keeping connected away from the office must be secure. Here’s how.

Data Encryption
Prevent unauthorised people from accessing your valuable data.

Data Protection Act
The Act carries serious obligations. Make sure you comply. 

Personal Devices
Managing the use of employees’ personal devices in your business.

Physical Security
The first line of defence in keeping your data safe.

Passwords
Choosing and using passwords correctly is very important.