In a previous article, we talked about the principles of Information security, the CIA. We invite you to read the 3 principles of Information Security on our website for a better understanding.
If you follow our articles, by now you know that one of the fundamental elements of Information Security is the Accessibility to data. Indeed, in some organisations, it is crucial that some staffs have access to all types of information. However, not all individuals can have access to all information. There are limits to and how individuals are authorised to get access to some information. Hence, it is important to define the Access Control Policy before implementation or measures.
An Access Control Policy outlines the mechanism of control, who can have access to what information, when, where and how. It all depends on the size and complexity of the organization and the level of sensitivity of information.
Generally, there are 2 main type of access control, physical and digital. Both access controls are based on the need-to-know level, competence, authority or duty. Most systems use an authentication mechanism such as a password or finger print to grant access to users.
The bigger the organization is, the more complex the access control system will be. As systems grow in size and complexity, access controllers face more challenges to prevent unauthorized access.
To ensure the safety of an access control system, it is essential to make sure that the access control configuration does not result in the leakage of permissions to none-allowed principle. For example, some authorised personnel may allow unauthorised persons enter the premises of the organization accidentally. Some staffs may provide entrance code to food deliverer to gain access to the company’s sensitive location. Therefore it is important to raise awareness about Information Security best practices among employees.
Since the Covid19 pandemic outbreak, organisations were forced to review their access control system and allow staffs to gain access to some sensitive information on their personal computers, so that they can work from home. By doing so, some organisations have under estimated the level of information security as some personal computers were compromised. This resulted in a leak of information and even frauds.
If you would like to review your access control policy or set up an access control system, our specialists can help you on this project. Contact us for more information.
You may also read about our previous articles on Incident response plan.