Skip to main content

«  View All Posts

Cybersecurity | Consulting

Defining Cybersecurity Roles and Access Control Procedures

March 29th, 2022 | 13 min. read

Defining Cybersecurity Roles and Access Control Procedures

Print/Save as PDF

In today’s workplace, ensuring only authorized access to your company’s systems is a key component of any cybersecurity program. Bad actors are no longer just lurking in the dark corners of the internet, they are everywhere your systems are, and may even be working inside your company.  

One of the main tactics hackers use to gain access to your systems by hijacking legitimate credentials. They do this by social engineering. Social engineering is the art of manipulating people, so they give up confidential information.  

Once a malicious third party has conned their way into your system, businesses can unwittingly make the situation worse by not having well-defined security roles for their systems and data. If someone has access to a server with sensitive information that they don’t need to do their job, it puts you at increased risk. 

Being taken advantage of by hackers can spell disaster for a company with an Employee Stock Ownership Plan (ESOP). The Department of Labor’s cybersecurity best practices for ESOPs recommends having clear security roles and access controls to mitigate this risk.  

Not sure where to begin? Guide Star has you covered. 

How To Decide Which Roles Need Access to Your Systems 

During your cybersecurity awareness training, you learned the importance of assigning cybersecurity workforce (CWF) roles to your employees. Using these CWF roles, you can see which employees need a higher level of cybersecurity training due to the nature of their jobs.  

The same principle can be used when talking about information security roles and responsibilities. How do you create secure roles and responsibilities? 

Once you have completed your Business Impact Analysis (BIA) and Privacy Impact Analysis (PIA), you will have a list of which systems you have, how important they are to your business, and what kind of data lives in those systems. Using that, you can begin to define roles that need access to your systems.  

Deciding which roles require access needs to be done on a system-by-system basis, as different roles use different systems. Define and document the roles within your company, what kind of access they need (or don’t need) in your systems. For example, a supervisor will need access to their employee’s pay records but no other employees. 

guide-star_change_management

Access Limits within SMBs 

Limiting access can be difficult, especially for small and medium businesses.  

According to the National Center for Employee Ownership (NECO), more than half of the privately held ESOP companies consist of small plans with under 100 participants. Small and medium businesses often do not have the resources or workforce that a large company has, so their employees need access to more systems.  

Employees at small and medium businesses wear many hats, so an administrative assistant could need access to sensitive data to complete a job for a member of the executive team.  

After you have laid out your systems and created the roles with access to them, assign users to those roles. When assigning roles, it is important to assign them on a user-by-user basis. Assess who is in specific roles, and then, you can give that employee access.  

Building a Change Management Process 

Once an employee leaves their role for a new one in the company or leaves the company itself, creating a strong change management process is critical.  

After the change, review and update the employee’s role and permissions. If the employee is staying with your company, assign them the new role and the permissions that come with it. Be sure to revoke any permissions related to their old role that are no longer needed.  

Your process should include change documents and approvals for management and auditors to confirm the process is being adhered to. 

When assigning roles, your IT team and system administrator should not be approving access alone. There needs to be an approval process, including an employee who serves as a “checks and balances” system. This can be a system owner, or even a role owner, who is familiar with the role to flag any issues they see.  

They should also oversee a compiled list of roles that have access to their system. The list of which roles have access to each system will need to be reviewed more frequently than your roles, ideally once a quarter. The system owner will own reviewing the list and signing off that the appropriate roles have access to it. 

During your annual risk management review, include reviewing roles and their access to systems when assessing your BIA and PIA. Employees' jobs can evolve over the year, so to keep your systems and data safe, your IT team needs to adjust the roles accordingly. 

Access: The Technical Side 

On the more technical side, there are many strategies to ensure your systems stay secure. One of the most important protective measures you can take is to have centralized access control.  

The security company, Kisi, defines centralized access control as a system that “enables the user to access all applications, websites, and other computing systems from a single profile, with the same credentials from any location.”  

Centralized access control has different components to help keep your data safe.  

Microsoft’s Active Directory groups are used to consolidate your users into groups to make administration easier. The two types of Active Directory groups are distribution and security. Distribution is used to create email lists, and security groups are used to assign permissions to specific roles.  

Single Sign-On (SSO) and Multi-Factor Authentication  

Single Sign-On (SSO) is another important component of access control. Single sign-on allows users to securely sign in with the same username and password to multiple websites or applications.  

Implementing single sign-on, as a standard across your company, will keep your employee’s credentials safe, and it will help them avoid unsafe practices, like writing down their passwords on a notepad.  

The most important part of centralized access control is using Multi-Factor Authentication (MFA). The National Institute of Standards and Technology (also known as NIST) defines MFA as an authentication system that requires more than one distinct authentication factor for successful authentication.  

Right now, you are using MFA to sign in to your social media accounts, perform online shopping, or access other programs. If you are accessing banking information, you’re likely answering a security question. 

Answering a security question and having your password is known as dual-factor authentication or two-factor authentication (2FA), which isn’t as safe as MFA.  

There are three key factors (ways to confirm your identity) that MFA uses. These are something you know, something you have, and something you are 

guide-star_know_have_are

1. Something You Know 

This can be your username, password, and/or pin number. The problem with using something you know as an authentication factor is that other people can know them, too.  

It isn’t hard to find information about someone. A quick web search can give a hacker all they need to steal someone’s credentials. 

2. Something You Have

With nearly every adult in the United States having access to a smartphone, having an authentication app is an easy way to protect your credentials. Some companies use physical tokens and key fobs that employees use to log in to their computers and other secure systems.

A hacker might have your credentials, but they don’t have access to a security code on your phone or fob. 

3. Something You Are

In the past few years, you may have noticed a new way to log into applications on your smartphone: biometrics. Biometrics uses your fingerprint, voice recognition, or facial scan as another layer of security.  

Another component is using network data to prove you are in a specific place or country. If you are in your office and on its secure network, using MFA isn’t as necessary because you likely scanned into the building to access it. 

Using two or more of these factors will add extra security that will protect access to your company’s systems and data. Don’t make your only factor knowledge-based. Instead, add as many layers of protection as you need to ensure you’re as protected as possible.  

Password Management Among Employees 

A weak password is one of the biggest mistakes users make when it comes to security. Making password management a portion of your cybersecurity training program will protect your systems from getting breached.  

Passwords need to be long—ideally, 14 characters or more—and must be frequently updated to keep hackers on their toes. When updating a password, the new password cannot be related to an old password, and it needs to be different than your last one.  

For example, changing your password from CyberSecurityRocks1 to CyberSecurityRocks2 would not be a secure enough change. The use of repeat characters can also cause hackers to figure out your password. 

Setting up a secure system for your employees to manage their passwords can help break the habit of saving a password to your browser or writing a password down.  

There are many different programs your IT team can use. When you find the program that fits your company best, it will create a secure repository for your employees to store the credentials that only they can access.  

Monitoring Your Access Controls  

The final part of having secure access controls is monitoring and logging any activity on your systems. Your IT team should have a stored list of who is accessing your systems, what time the access occurs, and where it is being accessed.  

With that list, there should be an alert system to flag any unusual activity, like an employee attempting to log in 100 times at three in the morning. 

Using your log, your IT team can cross-reference a user’s role and when they have been accessing a system. If an employee hasn’t logged into a payroll system in 10 months, but still has access, taking away their access is the safest option. 

Additionally, your IT team needs to have a system in place to suspend access to a program or user that has been breached. A mobile device management tool that can remotely lock down a computer or by using an Active Directory to suspend an account and access is critical when a cybersecurity incident occurs.  

Protective measures not only can help in case of a hack but also from an inside threat. 

A Secure ESOP Protects Your Employee-Owners 

With more secure roles and access to your systems, your company will be a safer place for your employee-owners.  

When defining your roles and what they have access to, ask yourself: “Who do I trust to have the keys to my kingdom?” If someone has access that shouldn’t, they could be putting your data at risk. 

If you aren’t sure how to begin securing your systems, Guide Star can help you with the technical aspects of access control, and even work with you to create roles for your employees. Guide Star can also assist you with creating Active Directory groups, setting up MFA, and working with your IT team to implement a password management tool.  

Once your access controls are in place, we can help your company with log reviews, and even processes for suspending accounts. 

Create a safer environment by assigning roles and keeping a close eye on your systems, but part of securing your systems is exceptional training.  

Brush up on how to create a strong cybersecurity program now.