This topic is concerned with how access to information and information systems is managed, as distinct from the policies on who has access to information that is stored and moved within the technology environment (see earlier topic on Information Management).
Access to information and application system functions should be controlled so only authorised personnel have the ability to use these. The type of access control needed will vary depending on a range of factors and is usually influenced by the sensitivity of the information.
Policies should be defined for each of the following:
- how access to Systems and Applications is controlled
- the use of credentials such as user identification and passwords
- standards for the use of passwords and other access tokens
- the display of System Control Notices
- using Secure Zones to further restrict information access
- managing access to different Networks and Network Services
- the use and control of Administration Accounts
These policies and guidelines are designed to ensure that measures are in place to limit access to systems and information to those users that need it. This includes information stored within applications, storage devices and facilities, systems and networks that make up the company technology environment.
The standard method used to restrict access is by the use of identification and passwords and sometimes additional authentication factors. This involves a range of measures that can include the following:
- secure login procedures
- enforcement of complex passwords
- use of multi-factor authentication
- controls on the display of credentials
- controls on the storage of passwords
These measures are intended to prevent the accidental or unauthorised access to information by managing access for anyone that may legitimately use the applications and systems. However, the measures should also restrict access to those that are not permitted access to information. In other words, you should manage appropriate access for those users that are permitted and prevent access by those that are not.
Password usage can often be supplemented by controls on different levels of access, based on the user profile. Aligning with the ‘need to know’ principle, role based access control will limit access to information and system functions to particular employee profiles within an organisation. This type of access control is usually managed within the applications themselves in conjunction with the more commonly used credential management.
This method can use of a matrix of job/role type, user departments, groupings of classifications and information sensitivity to segment application functions and menus. This matrix will match information needs to the appropriate level of access for an individual.
Sensitive information may come with additional conditions of use from the providers of that data, eg government authorities, payment card providers, etc. In addition to user credentials and profiles, there may be a requirement to build access controls that restrict the location where information is accessed. For organisations that store this type of sensitive information, zones of operation may need to be defined to separate users with different access levels, eg access to some information and systems may be permitted only in segregated segments of the network or even in special secure zones of the physical office space.
As well as access control for ‘regular’ system users, different access control measures are necessary to manage the elevated privileges for system administrators, eg for network and system managers. Stronger access control is required to provide additional restrictions on system features that involve access to configuration and system management areas – these are typically the privileges that are targeted by attackers seeking to gain access to company technology, so must be strictly controlled.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.