Cyber Essentials – user access control
User access control:
Only authorised users and administrators should be allowed. Access should be provided at the minimum level required for all systems.
What does this mean…?
Failure to implement an effective user access control policy may expose your applications, computers and networks to risk.
It is easy for hackers to take advantage of uncontrolled administrative privileges and to exploit desktops, laptops and servers.
Techniques used by attackers commonly involve the elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine.
Another common issue with the failure to manage user access control can lead to employees unwittingly or deliberately accessing and misusing data they shouldn’t be authorised to access.
What can we do to help reduce this risk…?
- Implement a user account management system and privilege management process.
- Don’t use network and system administrator user accounts for non-administrator activities.
- Restrict special account privileges to a limited number of authorised individuals.
- Don’t allow unauthorised user accounts access to applications, computers and networks.
- Document user access permissions.
- Implement a unique username and strong password policy.
- Ensure user passwords are changed on a regular basis
If you need further guidance with Cyber Essentials, please feel free to get in touch, and find out how this Government Scheme can help with protecting your organisation.