Who has access to your business systems and what do they have access to?
Access control is defined as a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. This conveys two important points: first, this tells us the systems need to be physically secured and secondly, they need to be electronically secured. Simple measures such as locking the office door and only providing authorized people with a key is a start. The next step is implementing a simple plan and responsible person to manage and maintain all end user credentials and authorizations to meet some basic goals:
1. Developed role-based access levels - what roles need to perform what system tasks.
2. Create unique credentials for each user assigned to a role - no login sharing!
3. Encourage users to use best practices for password protection:
• Always use strong passwords.
• If passwords must be written down on a piece of paper, store the paper in a secure place and destroy it when it is no longer needed.
• Never share passwords with anyone.
• Use different passwords for all user accounts.
• Change passwords immediately if they may have been compromised.
• Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.
4. Remove credentials for any employees leaving employ immediately.
5. Review user access roles routinely and keep updated appropriately.
Instituting and following these basic guidelines will help secure your business systems, minimizing the exposure and opportunity to issues related to unauthorized access. Be proactive and make sure you have these measures in place before you wish you had.