Level Up Your Access Control Policies and Procedures

Not every organization needs to stamp "top secret" on its folders or have simultaneous fingerprint recognition access to a containment facility or vault. Yet, across industries it can help the business security posture to develop policies and procedures that require individuals to level up for access to information systems, applications, or particular parts of your premises.

What Access Policies Address

Access control policies manage who can access information, where and when. Your company can better maintain data, information, and physical security from unauthorized access by defining a policy that limits access on an individualized basis. Providing different levels of access rights to all employees, as well as all contractors, consultants, temporary employees, and business partners can help limit risk exposure and make it easier to monitor and maintain a robust security posture.

Access policies allow you to monitor, manage, track, log, and audit access of computers, information systems, and physical premises. Establishing these standards can develop a consistent security posture to preserve data confidentiality, integrity, and availability and provide authorized, granular, and appropriate user access. At the same time, these initiatives help raise awareness and communicate to employees the importance your organization puts on cybersecurity.

Financial, healthcare, defense, and safety organizations as well as utilities all have compliance standards they must meet with their access policies. Yet, don't make the mistake of thinking your organization is unlikely to be at risk. Complacency is a cardinal mistake when it comes to cybersecurity.

We Have a Policy For That

When it comes to cybersecurity, you want your answer to always be "we have a policy for that." There are many areas to cover in working up your security policies and procedures. Here are several fundamental ones.

To begin with, you'll often require the following before the individual gains any access at all:

Acceptable Use

Commonly before an individual is given a user ID, he or she will need to agree to acceptable use policy. This policy reminds individuals to avoid inappropriate use exposing the company to risks such as virus attacks, compromise of network systems and services, or legal issues. Acceptable Use Policies (AUP) typically apply to employees, contractors, consultants, temporary employees, and third-party personnel.

Compliance Statements

Require all users access the information system to sign a compliance statement before they are issued a log-on ID. Annually confirm that all users understand and agree with your policies and procedures.

Once a user is given an ID or access is enabled, there are several access control elements to institute:

Entity Authentication

If your organization has not already defined and documented its policies for access to network and systems, you should probably just stop reading and get on that right now!

Your authentication ought to include unique user identifiers such as biometric identification, password, personal identification number, or tokens as well as automatic logoff.

Workstation Access

Control access to workstations with password-enabled screen savers and time-out-after-no-activity features which require users to re-log on to continue usage after a period of inactivity.

Remote Access

Outline and define acceptable methods of remotely connecting to your organization's networks. With the move to Bring Your Own Device assets, and the employee desire to telecommute or work while onsite or traveling for business, a policy extending to insecure network locations is necessary.

Physical Premises

View access to physical premises as a privilege, not a right. This means that physical access will be regulated by user responsibility and accountability just as access to information or networks and systems would be. Often you will see security levels established:

• Basic security — allowing access to areas typically unlocked during business hours, but requiring ID access to secure areas after hours.
• Enhanced security — requiring ID access at all times with the premises monitored by mechanisms such as mechanical or electric locks, video cameras, or security personnel.
• High-Risk security — limits access to restricted areas often requiring accompaniment by authorized individuals, biometric control devices, or other advanced means.

In ensuring appropriate access, it's important to prioritize based on need. This means considering:

Need-to-Know

Only grant access to information, applications and functions, systems, and premises on the basis of what privileges the individual requires to perform his or her job. Really, it gives your employees an opportunity to feel like spies or government officials when they get access "on a need-to-know basis."

Access Approval

The Security Administrator should be notified of all changes in end-user duties or employment status. The administrator should immediately revoke access privileges for terminated individuals, and modify user privileges to reflect role transfer or new responsibilities.

When it comes to confidential systems log and audit information allowing your administrators to determine access time, method of access, and trace the commands to a particular user account.

Non-Employees

Before any individuals who are not employees are granted access privileges you might require written approval of the internal Department Head who can help define the terms and conditions of that access to computers, information systems, or physical premises.

Change Management

Insure continued cybersecurity with a change management policy formalizing your process for making changes to IT, software development and security services. Procedures here will seek to minimize adverse impact on services and customers.

Cybersecurity is complicated by rapidly evolving technologies, architectures, and policies. Will your security posture stand up against a highly motivated individual seeking to exploit vulnerabilities? Do your access controls meet industry standards? A penetration test will tell.

RedTeam Security penetration testing offers industry-specific threat profiling. Along with comprehensive testing of your business's technical landscape, we'll also test your people and physical security controls. Schedule a meeting with our team to learn how to best secure your business, or click below to request a proposal instantly.