Cybersecurity controls are methods for mitigating risks to digital systems that can be applied to provide a higher assurance that those systems are protected. While this provides actions that help to prevent attacks, that does not mean hackers are not trying to challenge your method of protection. There are hundreds of possible controls based on the sophistication of your digital device. The first step for any cybersecurity program is to identify all the digital assets you need to protect. Once they are identified, the task of determining what is required to secure each device begins. The number of controls will vary depending on the size of the digital system, but there are numerous commonalities that can be addressed with access control.
The purpose of access control is to ensure that only authorized individuals or processes acting on your behalf can access your digital systems. Companies need a formal documented access control policy. The access control policy should address:
1. Account Management – manages and documents accounts (authorizing, establishing, activating, modifying, reviewing, disabling, and removing).
2. Access Enforcement – enforce authorizations in accordance with documented policies.
3. Information Flow – authorizes the flow of information between interconnected systems, regulate where information can travel.
4. Separation of functions – ensures the division of responsibilities to prevent conflicts of interest, no one person has power over all activities.
5. Least Privilege – assign users the minimum set of rights they need.
6. Login attempts – locks out users on a number of failed login attempts within a certain period of time.
7. System use notification – gives the user a system use notification message before granting users system access.
8. Previous logon notification – upon logon, display the time and date of the last logon.
9. Session lock – initiate a session lock after a period of inactivity, requires you to login again.
10. Management Review – management reviews activities of users.
11. Emergency Actions – identify actions that may be taken in an emergency without identification or authenication.
12. Wireless access – restricts wireless access except through a boundary device.
13. Rogue connections – perform periodic checks to ensure there are no unauthorized connections.
14. Access Control for portable devices – establishes the restrictions for control of portable devices (phones, laptops, etc.)..
15. Access from external systems/remote access – prohibits access from an external system unless it is done through a secure portal such as a Virtual Private Network (VPN).
Since organizations are unique and individual in nature, each item does not necessarily have to addressed. However, due diligence should be exercised to determine if it needs to be applied in a particular situation. For example, if you only have one employee then separation of duties would not apply, and If you have no wireless devices then you don’t need a wireless policy.
This discussion centered on the potential need for access controls which may become costly for an organization, so financial decisions need to be made. If an organization has thousands of digital devices to evaluate, combined with hundreds of possible controls needed, the costs for cybersecurity can escalate quickly. Companies have to assess their risks and decide if it is really necessary to implement a specific control. A decision may be made to accept a particular risk and avoid the cost associated with implementing the control, but there must be a full understanding that a security breach can shut a company down. Research indicates that over sixty percent of small businesses that are breached close their doors within six months. Once a breach occurs and becomes public knowledge, an organization’s reputation can be ruined and business quickly lost as customers do not want their sensitive information being handled by a company that does not exercise due diligence in safe guarding their data.
Does cybersecurity fascinate you? Do you dream of a career in cybersecuity? You can do it!….Enroll in classes and explore your passion. The NCI through Excelsior College offers many degree options as well as certificates in cybersecurity.