Access controls limit access to information and information processing systems. When implemented effectively, they mitigate the risk of information being accessed without the appropriate authorisation, unlawfully and the risk of a data breach. They apply anywhere access is required to perform a business activity and should be adhered to when accessing information in any format, on any device.
In practice it is not uncommon for access to information to be overly restrictive, resulting in information silos. Whilst a focus on security and privacy is obviously needed to protect business information and meet data protection legislation obligations, there must also be a balance with accessibility. Opening up information assets supports collaboration and innovation, and in our experience supports successful eDRMS (electronic document and records management system) projects.
To implement an effective access control environment, we recommend the following six areas are given careful consideration:
1. Access Control Principles
Guiding principles that provide rules for all implementations of access to networks, systems, information and data. This can include principles relating to:
- Access approval by a registered owner (e.g. an information, business or system owner)
- The sharing of personal data
- Role and group based access
2. Who determines access?
What roles understand and approve access requests? Do you have Information Asset Owners? In practice will they delegate responsibility for determining access to a Line Manager?
3. Who ensures appropriate access is implemented?
Is this your helpdesk? Do you have Information Champions who can ensure access is implemented correctly and that it is appropriate?
4. How access will be documented
Access controls must be documented to provide evidence of the controls implemented. This can be in an Information Asset Register, helpdesk system or even Active Directory
5. How the access controls will be implemented
Do you have a Business Classification Scheme or an eDRMS that will support the implementation of access controls? Do your new starter, transfers and leaver processes ensure access is set up, amended or revoked where and when necessary?
6. Periodic audit procedure
Access controls should be audited on a periodic basis to ensure controls align to what is needed and is documented. Would this be done by your helpdesk? Or can Information Champions help with this task?
Access controls are an essential part of an information security framework. Reviewing these six areas will give your organisation a solid foundation for controlling user access to information and systems, that meets your legislative, statutory, regulatory and contractual requirements.
If you would like to know how to go about articulating access controls in a model or policy, get in touch.