Does your organization have procedures in place to determine who is authorized to access your IT systems? The organization’s needs determine which permissions and which IT systems employees can access. There need to be clear procedures in place for this.
Permissions govern who has access to what, and what can be done in the systems. All permissions must be based on the needs of the organization, and there should be formal procedures in place for allocating, modifying, suspending and monitoring access. The individual user must not have access to more information than required by the organization.
User accounts with special access privileges (e.g. system administrator accounts) usually have the highest access level to information, programs and computers. When these accounts are used for attacks, they can cause a great deal of damage since they generally allow the user to do things such as install harmful software or make extensive changes in the system.
Special access includes privileges and rights beyond what regular users have. Performing regular, day-to-day work in administrator accounts is normally not allowed (with the exception of system administrator work). Since an administrator account gives extensive access to systems and information, it must not be used for regular, day-to-day work since this type of work increases exposure to different kinds of threats.
A user account must only be allocated to a specific individual rather than to a group of individuals. When several employees use the same user account, traceability is hampered. In other words, it becomes more difficult to link various system events to specific individuals.
User accounts must be closed when they are no longer in use, for example if someone leaves the company or changes jobs within the organization.
Password and login
When logging into the organization’s IT equipment or a specific program, the individual must identify him or herself by entering the correct user name and password, or by using eID. Logging in with a strong and unique password is the minimum requirement. A stronger and thus more secure method is multi-factor authentication, whereby authentication entails two or more types of identification. You can, for example, choose between a password, smart card and biometric authentication. On each occasion, you must use two of the three methods. It must not be possible for employees or groups of employees to re-use passwords. Passwords that have been used within the organization must not be used privately, or vice versa.
The organization’s requirements determine whether and how often passwords are to be replaced.
If it is not possible to configure accounts using technical means to require a new password on a regular basis, manual procedures must be put into place.