Whether or not an employee can see or open a particular folder or application should not be arbitrary. Being intentional about access controls is vital for compliance and security. This introduction to access controls lays out the key steps and considerations for reducing risk and securing your data.
An Introduction to Access Controls
You take security seriously. You lock your front door. Your phone password is 12 digits long.
Now it’s time to concentrate that focus inside your organization. Just as you protect your information from outsiders, you need to be sure it’s safe inside too.
Access controls have a simple but critical job. They control who has access to your information, what that user can access, and what that user can do. It’s a critical component of your cybersecurity strategy.
Who Approves Payroll?
Consider payroll.
It’s an intuitive example. You don’t let everyone in the company cut their own paychecks. Your payroll system is only accessible by certain staff. The payroll staff is responsible for specific tasks, like how your payroll accountant can enter timecards but needs a manager to approve pay raises. And nobody gets paid until your HR Director signs off on the pay run.
Your controls might look a little different, but the goals are the same:
- Users have access to what they need.
- Users can only do what they’re allowed to do.
- Checks and balances help to detect and prevent problems. This includes separation of duties and periodic user access audits.
Where to start
Any organization starts with the same fundamental steps no matter what the business looks like, how many people it employs, or what kind of information it protects. A compliance consultation is a great way to map out your access controls.
1) Decide WHAT you need to protect.
Create (or update) your policy to define your security requirements. Keep it high level. What kind of functions need extra security? What are you willing to share with outsiders, and what stays in-house?
2) Decide HOW you’ll protect it.
Who decides what information needs to be protected? Who’s responsible for implementing and maintaining access controls? In general, what kind of access controls will you need? Who approves changes to user access, and how do you document it? What happens if someone violates the policy?
3) Determine WHO needs access to what.
Access is determined by the role and what each role requires access to in order to do the job. This includes access to software, shared drives, and even parts of your facilities. You may need to do some fieldwork to find out exactly where duties overlap.
4) Verify whether your users have the right access.
Many software systems include standard reports and other security management features. Do it again next quarter. And next year. And so on. Consider engaging an IT consultant to help confirm your controls work correctly.
5) Don’t forget about vendors and partners.
Can anyone outside of your organization access your files? If a vendor has excessive access, would you even know it before they put your entire organization at risk?
Pro Tip: Take advantage of read-only and other restricted access levels when possible. For example, your payroll accountant might need read-only access to your production scheduling system to validate overtime. Or a hospital’s CFO might need to run reports from the medical records system, but he or she shouldn’t be able to edit patient charts.
The Risks of Not Having Access Controls
Auditing user access is a pain in the neck. But the risks of ignoring access controls are much worse.
1) Compliance nightmares.
Can the same person authorize a payment, cut the check, and reconcile the bank statement? It’s not just a good idea to have internal controls; in many cases, it’s the law.
2) A hacker’s dream.
The more access you give to a single employee, the bigger the risk if that person’s account is hacked. For example, what could a hacker do with your CEO’s login credentials?
3) Escalating access.
It’s easy to forget to change access when someone changes roles. If our hypothetical payroll accountant gets a promotion, will he or she then be able to approve his or her own pay raises?
4) Leaving the door open for terminated employees.
You wouldn’t let a terminated employee keep a security badge. Don’t let them perpetuate a major HIPAA breach.
5) The domino effect.
If a vendor or partner gets hacked, you’re the next target. Don’t let your HVAC vendor cost you $162 million in data breach cleanup.
As I said, an access control audit looks a lot better after you consider the alternatives.
Last Pro Tip: You don’t have to do it alone. Start with your accounting and legal partners to learn more about what tools they can offer.
You can also contact us directly if you have any questions or if you would like to learn more. We’re always happy to talk shop.