Cyber Essentials Part 3 – User Access Control

This is the third in a five-part series covering the government backed Cyber Essentials scheme, which is designed to set a base standard for cyber security in organisations. It deals with five specific areas: –

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Patch management

These key areas form the bedrock of security for IT systems. All organisations should ensure these the five basic areas are covered either by their in-house IT team or their external IT partner. Over the next few weeks I will cover each of the topics in turn.
In part 2 I covered Secure Configuration. This time I cover User Access Control.
This part is exactly what the name suggests, ensuring that you control what users have access to. In most small companies (and several larger ones too) this is overlooked or misunderstood. Most clients think about this in terms only of giving a user a login and password to ensure that nobody can gain access to the device or application without authority. But it goes much deeper than that. What many companies don’t think about is how much access that user has been granted. In many cases the user is granted full administrative access to the system.
This is a bit like giving the staff member a key to building so they can get in the morning. But not just an ordinary key, the master key to every door, filing cabinet, safe etc. You wouldn’t do that would you. So why would you allow it on your PC’s.
If a user with administration rights clicks an infected link or opens an infected document the malware has all the permissions it needs to install itself and then propagate around the network. This can turn a bad day into a disastrous day.
You should also think in terms of file shares. You should allow a user only access to the folders that they require to do their job. Locking them out of folders they don’t need not only prevents them accessing files they shouldn’t, but it will help to reduce the impact of any malware infection as it will not be able to touch the files in the locked folders.
The same principle applies in all your applications. You should only grant the user access to the elements of the application they need. For example in our automotive clients that use Autoline (Kerridge) we would not give every user Level 8 permissions in all modules. Otherwise anyone could do anything and change other people’s permissions. The permission levels are set appropriate to the user’s job role.
There should also be procedures in place for requesting new starters, notifying of leavers, requesting and controlling VPN access, etc. We place a piece of software on each of client’s computers this gives them a form to fill in for new users, and leavers. We then process the form at the appropriate time. For VPN access, we have a process whereby we seek authority from the direct line manager and a director, or whatever process the individual client requires. But there must be a process with authorisation.
At Reach I.T. Management we handle user administration for our clients. We make sure to follow procedures before allowing access and grant only appropriate permissions within applications and to their windows PC’s and laptops. We manage the user creation and deletion to take away the administrative burden of User Access Control.
If you want to discuss how we could help you with any of the above then please do call me on 01788 440024 or fill in the contact form on our website.
Next time I will cover Malware Protection