22 Apr A deeper look at the Cyber Essentials Certification – Access controls

In this – the third blog in the series – we will take a close look at the questions asked in the Cyber Essentials Certification regarding Access Controls, and also explain what you need to do to be sure that you are reacting to / dealing with them successfully.

Questions regarding Access Control

• Are user accounts controlled through a creation and approval process?

Prior to a new starter being set up, the account must go through an approval process (HR management approval, Line manager approval, IT department approval, for example).

• Are users required to authenticate before being granted access to devices and applications using unique credentials?

Authentication is a second process to ensure that only authorised users gain access to the system, and it can be done in a number of different ways. Most commonly it is done through a combination of both passwords and physical access controls, such as staff passes (without a staff pass allowing access to a building they cannot gain physical access to the systems, for example). Alternatively, a token is used to gain access to the system in addition to a password. But there are other ways this can be achieved and, in each case, it is critical that the authentication details are unique to individual users. There must not – for example – under any circumstances be a general ‘temporary staff’ access facility or anything similar which can be used by a number of different individuals.

• Are accounts removed or disabled when they are no longer required?

When a staff member leaves, you should lock their account immediately to prevent continued access from others. After having taken time to scour the account for critical information required for record keeping, auditing or other use, it is imperative that the account is either disabled or (preferably) deleted. This can be done by an administrator through the control panel.

• Has two-factor authentication been implemented where available?

As we explored in the previous blog in the series, Two-factor authentication involves the use of two different means of identification before being granted access to the system or – once having been granted access – to the different parts of it. Two factor authentication can be difficult to implement – especially in the slightly larger organisations – but you should be making a deliberate decision as to where it should be implemented as opposed to areas where there is no need.

• Are administrative accounts only used to perform administrative activities?

This means not exposing administrative accounts to unnecessary risk such as emailing, web browsing, or other standard user activities. An administrator should have two accounts – one that is at the pinnacle of security, and one which is a ‘normal’ account for everyday activities such as emailing and web browsing – this account is still secure but it is preferable to perform tasks that pose risk on the account that holds the least number of privileges.

• Do you have Anti-Malware software, application whitelisting, or application sandboxing on each of your devices?

Anti-Malware – or Anti-malicious software for those that aren’t familiar with the term – should be installed on all devices and endpoints, including mobile phones where they connect to the internet and to your systems. This software usually allows you to ‘whitelist’ software applications – for those that aren’t familiar, this is a process whereby any software that’s approved to be used on the network in question is listed, and only that software can be run on the system. The alternative to this is ‘sandboxing’ – a method used by Apple where an application is run in a separate area quarantined from the rest of the system. Whichever you choose, the aim is to stop unauthorised software packages running on your systems.

• Provide details of the software used

This one is easy – simply provide details of what Anti-virus – or other related – software is installed on your systems.

Again – as in the previous blogs in the series – for those that aren’t as familiar with IT and technology as a whole, understanding how to achieve the above can be a challenge.

That’s where we at Netcom come in.

Helping you to Cyber Certification – Netcom

Our team of experts will assist you in the process of uninstalling redundant user accounts, finding a password management tool that works for you, implementing an easy-to-use two-factor authentication system, and managing approvals across your organisation. We can guide you into a future with IT as a powerful – and most importantly – secure ally. We pride ourselves in developing a relationship with our clients and ensuring they prosper from the technology and plans introduced for them to get the most from their IT. We can guide you to achieve the Cyber Essentials Certification with flying colours! Contact us now and find out how we can help you.