User access control is one of the five key controls mandated by the UK Government’s Cyber Essentials scheme. It refers to the management of user accounts, particularly those with special access privileges, to protect against misuse and unauthorised access. Accounts should be assigned only to authorised individuals and provide the minimum level of access to applications, computers and networks.
Why is user access important?
Failure to implement an effective user access control management policy may expose your applications, computers and networks to risk. It makes it easier for hackers to take advantage of uncontrolled administrative privileges and to exploit desktops, laptops and servers. Another technique used by attackers involves the elevation of privileges by guessing or cracking a password for an administrative user to gain access to a target machine.
Failure to manage user access control may also lead to employees unwittingly or deliberately accessing and misusing data they shouldn’t be authorised to see.
Verizon’s Data Breach Investigation Report 2015 found that insider misuse is one of the most common incident classification patterns. This is closely linked to staff access to sensitive and valuable data. According to the report, 55% of all insider misuse incidents were the result of privilege abuse. The most affected industries were public, healthcare and financial services.
How to manage user access control effectively
- Implement a user account management system and privilege management process.
- Don’t use network and system administrator user accounts for non-administrator activities.
- Restrict special account privileges to a limited number of authorised individuals.
- Don’t allow unauthorised user accounts access to applications, computers and networks.
- Document user access permissions.
- Implement a unique username and strong password policy.
- Ensure user passwords are changed on a regular basis
This is the second of a series of blog posts dedicated to the five controls of the Cyber Essentials scheme. Also see Cyber Essentials explained – what is secure configuration?
If you want to learn more about Cyber Essentials’ five key controls and how to implement them correctly, read Cyber Essentials – A Pocket Guide. It is a non-technical explanation of Cyber Essentials, making it easy for anyone to understand the scheme and how to meet its requirements.
Cyber Essentials certification
Launched in 2014, the government’s Cyber Essentials scheme aims to help organisations better manage the variety of business issues introduced by the growing number of cyber threats.
Certification to the scheme will demonstrate to your customers and business partners that fundamental cyber security measures are in place, and provides evidence of your organisation’s security posture.
IT Governance is a CREST-accredited Cyber Essentials certification body. To find out how our fixed-price Cyber Essentials solutions can help you achieve Cyber Essentials certification for as little as £300, click here >>