Access to data and files should be restricted to only give enough access to files, software and settings to enable staff to perform their role.
Access control is one of the basic controls for the Government backed Cyber Essentials scheme.
Cyber Essentials is a great first steps organisations should be implementing to start their cyber security journey, but also for larger organisations who assume they have got cyber security covered. Cyber Essentials and Cyber Essentials Plus can act as a check list for the board to ensure that the basics are in place. Many of the major breaches in the news recently fall back to a lack of these basic controls.
Cyber Essentials: why control access?
If a user account is compromised, and someone does gain unauthorised access, limiting the access rights of that account would help minimise the potential damage that could be done.
For example, if someone compromised a sales director’s user account, possibly through a weak password, would it be possible that they would have access to all the finance records and all the HR records? Stepping back from here, does that Director need access to those records to perform their role?
This also means access is updated for staff that move from one internal function to another. For example, if a member of staff moves from HR to finance they should have their access to the HR environment removed if they no longer carry out any HR functions.
Keeping a permissions register is a great way to keep track of who has access to which files and which software, at what level, eg. User, Super User, Admin etc. A simple spread sheet would suffice with user names along the top, and a list of files and software down the side, with the access level identified. Then just add a tick under each staff name against the files and software they have access to. Review regularly to ensure it is up to date. This can then be incorporated as part of your change management process for new starters and leavers.
Cyber Essentials – admin accounts
Admin account access for an attacker is like getting the key to your whole business, and usually the first target they will look for. Cyber Essentials requires the use of admin account to be restricted to carrying out only administrative tasks.
User accounts are frequently given admin access because it is ‘convenient’ for them, so they can do what ever they want to do (including install software – see below). Even the person who manages your IT should not use an admin account as their default user account.
Ensuring staff don’t browse the internet or check emails with admin access reduces the risk that an admin account will be compromised. All users, including the person responsible for IT, should have a standard account, and only use admin account access to carry out administrative tasks.
Cyber Essentials requires that administrative privileges are controlled and only given to those that need them, access to your data is controlled through user accounts.
Each user needs there own user account with their own permissions. Sharing user accounts (and passwords) should not be required to be able to carry out their function.
Access to software
Allowing users to download or access what ever software they would like to use also increases the risk of introducing malware and potential access to your environment.
As a minimum only allow user to install software from manufacturer approved sources, which will be screening for malware. Sources such as Google Play and the Apple App store are such sources for mobile devices.
Ideally all software downloads and access should be controlled and go through an approval process, removing admin access rights will help an organisation to control this, and also be able to keep a record of any updates or patching that would be required for this.
Read more about Cyber Essentials access control
View or Download Cyber Essentials questionnaire so that you can learn more about the controls in the government backed standard.CEQ Full_2017