Do you know what your team members can access? Controlling access to your key systems and data is crucial to protecting your business and customers. This will be one of the five control areas covered in Cyber Essentials, click here to learn more about that initiative.
Having processes in place to ensure that you are properly controlling access provides assurance to yourself and your customers that your IT infrastructure and information are safe. Key processes to consider for access controls are:
- New access requests: Have a process in place for granting access to new users or additional access to existing users will make things easier and safe from the outset. You may find it helpful to come up with a list of access required to do certain jobs so that it is easier to approve and setup.
- One account per user: Try to avoid having only one user account or login for multiple people and encourage your staff to keep their log-in details secret. This will make it much easier to figure out who was logged-in if there is an incident.
- Periodic review: Set a regular schedule to review users’ access rights. We recommend doing this on a quarterly basis for normal users and monthly for users with administrator privileges. This review should be done by someone with a good understanding of what the user needs to do as part of their job, depending on the size of your business this may be line managers or the business owner. (Users should not self-certify access rights). This process will also help identify if accounts were not deleted when users left or someone’s access rights were not changed properly when their role or responsibilities changed.
- Limit user access rights: Users should only have enough permissions to do their job. Granting someone more access rights than they need may result in accidents if they are not properly trained and increases risk of misuse.
To learn more about information access management and user accounts, visit Get Safe Online.