Founded in 1996

Protect Your Critical Data With Access Controls

Is your password for the accounting system, “1234”, “password”, “your name” or something similar? Does everyone know everyone else’s password? Do you assume that your employees are unable or unaware of how to access confidential information?

Threats Exist Not Only Outside Your Network

Why have userids and passwords at all? They are inconvenient, sometimes difficult to remember, and slow you down when you just want to get work done.

82% of e-Crimes are committed by internal company employees, with roughly 1/3 committed by senior management.

Ernst & Young

This startling fact is the main reason companies should and do set access controls on company information. When implementing access controls, a layered approach is advised, with the highest number of layers of security imposed upon the most critical and confidential information.

Government Regulations Require Access Controls

Depending upon your industry, you may be required to implement some level of access controls. For example, the Sarbanes-Oxley Act of 2002 will have a significant impact on organizations. In accordance with Sarbanes-Oxley (Sarbox), executives must attest to the adequacy and effectiveness of their internal controls, including IT controls. Therefore, IT controls will be externally audited, and a statement of control verified by the audit must now appear in annual reports filed with the Securities and Exchange Commission (SEC). With the Sarbanes-Oxley Act, what was once considered best practice is now the law.

Beyond fraud, employees can also be dangerous by either damaging information or equipment deliberately or accidentally. Information could be damaged by a virus or simply unintentionally deleting the wrong file. Access controls may potentially limit this damage and avoid costly downtime.

Best Practices for Access Control

PCMi can work with you to establish effective access controls from the ground up. The access controls start with physical access restrictions, such as keeping your networking components, server and backup media in a secure location. For some organizations, a locked closet will suffice; for others, a data center environment with restricted access may be required.

Next, you should consider actual user PCs. Could someone simply start a machine and have access to confidential information? This means not only the data stored locally on the machines but also what the machines can access on your network. In some cases, special security measures when the computer is powered on may be required. More typically, a user-id and password are required to access the machine and network.

Generally, the user-id for the PC will also grant you access to network resources such as files, printers, and business applications. This is the next level of access control. Once a user passes an authentication process to access a PC and the network, the access controls on the resource being used come into play. Quite often, the default–“full” access–is left unchanged because it is the path of least resistance. Because everyone has access to everything, all business applications work, users can easily share information, and the need for I.T. intervention is minimal. However, this can be akin to leaving your drawers open to anyone within the organization to see what they can find that is worth something taking.

A basic component of most network environments such as Microsoft Windows is the ability to set access control levels on various network resources including folders, files, or printers. Within business applications, there are often additional levels of security that need to be considered.

Here’s where PCMi can help. We work with you to identify the information and resources that need to be protected. Having identified these resources, we help you understand the impact of restricting access levels and then, set the access controls as appropriate. In some cases, this may include working with your business application supplier to set access controls within the application itself.

Review Your Access Controls

Once you've determined and set your access controls, it is advisable to audit and test these controls on a regular ongoing basis. Over time adjustments may be required as your staff changes, your business applications changes or your company information changes. Auditing access controls is one component of a security assessment.

Establishing appropriate access controls will protect your company from a myriad of internal and external security threats. Don’t leave your company’s confidential information exposed to chance– implement access controls.