Access control is a central principle of cyber & information security. Looking back on our last newsletter, Spotlight On: ISO 27001, the bedrocks of information security management systems (ISMS) are confidentiality, integrity and availability.
These principles regard who has access to systems, information or data sets, who can make amendments to them and ensuring eligible users are able to do so with appropriate ease and efficiency.
Within a business or organisation, access control frameworks within a business should be a decision taken by management. One element of access control is the Segregation of Duties principle, meaning that no users should be given a level of access whereby they could independently misuse it. An example would be that the person responsible for approving payroll should be different to the person who prepares them.
Access control is an ongoing exercise. Structures need to be audited and reviewed on a regular basis, as well as when new systems are introduced, employees join or leave, or when people start a new role internally. If somebody previously had access to a system or certain information, it doesn’t mean this should remain if it is no longer relevant for their job. Restricting or rescinding access is as equally important as granting access.
Training and communication about access control are very important. People may need to have access to something, but this does not mean it is appropriate for them to actively make use it. For example, an employee may have access to HR files in order to find information to address a letter or obtain a phone number to contact somebody; but they shouldn’t abuse this access and look at items not relevant to them, such as salary or other terms of their employment contract. Details will vary from business to business, but the core principles remain the same.
When reviewing your access controls, you can follow the steps below:
- Focus on what matters most. Confidential or sensitive information should be the most protected, and controls should be prioritised. Ensure you have an understanding of everybody’s role and responsibilities and that correct access is granted to make sure they can do their job effectively and efficiently.
- Read through your security policies, procedures and guidelines and align your access controls to these for a clear and consistent approach. Remember that access controls cover a wide range of elements, from system or file access on a computer to physical storage of sensitive information.
- Expect to be held accountable. Breaches should be taken seriously and trigger a review of controls. You should take responsibility for not having adequate controls in place, incidents are not solely down to misuse
Subscribe & share to spread the word on a range of topics covering Cyber Security, Risk & Compliance.
Clear Thinking partner with businesses to provide multi-layered secure and compliant IT solutions, including certifications, compliance, disaster recovery and more. Further details on our cyber security services, including vulnerability assessments, can be found here: https://clearthinking.co.uk/cyber-security/