By Bryon Miller ASCENT
In today’s world, we have more access to essentially all that’s available in our lives. More access to people and places. More access to information and knowledge. More access to everything and anything on the Internet. With this increased access comes an increased desire within us as human beings to control our proprietary or private data, especially as it relates to the organizations for which we work.
However, there is a fear that the wrong people are going to access just the right information or systems to create major issues for our organizations. But there is no need to fear losing control over who is accessing these things if we make access control a priority in our overall Corporate Security Programs. By examining the strategy for access control, organizations can ensure appropriate practices are in place to govern user access.
An effective Access Control Program is necessary to protect your people, information, and assets by enabling your organization to reduce the risk of harm to your people, customers, and partners, as well as reduce the risk of your information or assets accessed. An effective Access Control Program helps an organization make a reasonable determination that individuals are granted the proper access needed to effectively do their jobs without putting the organization in a compromising situation.
To help you improve your organizational access control, consider the following tips:
- Develop requirements for an Access Control Program. A formal Access Control Program should be implemented that includes a documented user registration and de-registration process for requesting, approving, granting, modifying, reviewing, or revoking access. Access control rules should reflect the requirements of your organization for the authorization, access to, dissemination, and viewing of information. These rules should be supported by formal procedures with clearly defined responsibilities that are assigned to appropriate roles. Be sure your access control requirements address both logical and physical control measures which should both be based upon the principle of least-privilege.
- Identify and document account types. Account types (e.g., standard user, privileged user, system, service, etc.) used by your organization should be identified and documented. Access control rules for each user, or group of users, should be clearly stated. The conditions for group or role membership should be established as well. Users should have a clear understanding of the security requirements to be met by the access controls implemented by your organization.
- Ensure ongoing account management is in place. Unauthorized or inappropriate account access is likely to occur if ongoing maintenance is not in place for all accounts. Account management is not a “one-and-done” exercise but must be performed on a recurring basis to maintain effectiveness. Management approval should be required for all requests to create accounts. Accounts should be created, enabled, modified, monitored, disabled, and removed in accordance with an approved Access Control Policy. Supporting procedures should detail the steps required to meet the defined policy control requirements. Periodic internal account and access reviews or audits should be performed, at least annually, during which the privileges should be verified to validate that the need for currently assigned privileges still exists.
- Actions need to be associated with a unique, individual user. All users should be assigned a unique identifier (user ID) for their personal use only. Appropriate user authentication techniques should also be implemented to substantiate the claimed identity of any authorized user requesting access each time they log in to your organization’s networks, systems, or applications. Baseline controls should include settings for password or passphrase composition and complexity requirements.
- Set controls for accounts with privileged access. This is needed to reduce the likelihood of providing standard users with more access permissions than they require. Appropriate checks or validations for actions performed with privileged accounts should also be implemented to ensure authorized privileged account users are fulfilling their assigned roles in accordance with prescribed security control requirements. The principle of least privilege must be followed, authorizing only access that is necessary for each individual user to accomplish their assigned tasks in accordance with your organization’s mission or business functions.
- Implement and maintain secure logon processes. This verifies the identity of users and associates the user with the actions they perform. Secure logon processes may also help reduce the likelihood of password compromise that may lead to security incidents or data breaches. A limit of five (or less) consecutive invalid logon attempts by a user during a fifteen-minute period should be implemented. Accounts should be locked after this threshold of failed logon attempts is reached. It is encouraged to send failed logon alerts, along with other appropriate domain controller alerts, to personnel responsible for monitoring the networks of your organization.
- Provide for password management. This serves as one line of defense for protecting organizations, along with customer information they manage, from unauthorized access due to weak passwords. Password management systems should be interactive and should ensure only quality passwords are being used. Users should be required to follow best practices for the selection, use, and maintaining the confidentiality of passwords. It is recommended that your organization provides training on the selection, along with the safeguarding, of passwords.
- Implement controls to secure information systems when unattended. These controls should provide a layer of defense for organizations to decrease the risk of an unauthorized user gaining access to an authorized user’s system or the output from system devices. Your Access Control Policy should contain clean desk control requirements to ensure that papers or media that are not actively being used are kept in desk drawers or filing cabinets. Personnel should activate a screen lock when they leave their work area to reduce the opportunity for unauthorized personnel viewing potentially sensitive information displayed on a monitor or other peripheral device. Output devices, such as printers or faxes, should also be safeguarded to help prevent unauthorized individuals from obtaining the output from these devices.
- Provide for remote access management. Controls need to be implemented to protect remote access to networks, systems, and applications, thus minimizing the window of exposure organizations face regarding unauthorized access or potential intrusions associated with remote access activities. All remote access should be authorized prior to allowing remote connections to your organization’s network to occur.
- Manage and protect wireless access. Controls need to be implemented to manage how networks, systems, and applications are accessed using wireless technologies. Wireless access for users should be authorized prior to allowing wireless connections to be made. Wireless access to systems and applications should be protected using authentication of users or approved devices.
- Have defined controls to support the segregation of duties. Your organization should implement segregation of duties for conflicting functions, or areas of responsibility, to reduce the opportunities for the unauthorized or unintentional modification, fraud, or misuse of information and information systems. A system of dual controls (e.g., two individuals with separate responsibilities needing to work together to accomplish a single task) should be required and implemented whenever possible.
- Ensure effective controls are in place for mobile computing and working from home. Usage restrictions, configuration requirements, connection requirements, and implementation guidance should be established for all organization-controlled mobile devices. Full-device encryption or container-based encryption should be used to protect the confidentiality and integrity of information on mobile devices. Personnel should be required to report any lost or stolen mobile devices. Your organization should have the ability to wipe mobile devices remotely to remove all information if they are lost or stolen.
Your organization should ensure that a comprehensive Access Control Program is developed and implemented consistently across the organization. Organizations that do not could potentially overlook a pivotal security function or leave a control unaddressed. By developing a comprehensive Access Control Program, supported by all organizational stakeholders, organizations can avoid key access control pitfalls for effective overall security.
About the Author
Bryon Miller is co-founder and CISO at ASCENT Portal, a leading Software-as-a-Service (SaaS) platform for comprehensive security and continuous compliance management. An expert in security and compliance best practices, Miller is also the author of the book, “100 Security Program Pitfalls and Prescriptions to Avoid Them,” available on Amazon.