Go to main Enterprise Ireland site
 
Advanced Search
 
 
 

 
 
 
Key Messages
How-To Guides
Case Studies
Assessment Tools
Solutions Providers
Library
Advanced How To Guides

eSecurity

Who should be authorised to get access to certain types of data?

7. Authorisations

Employees of various levels, contractors, suppliers and other users will need different levels of access to your company's data and computer networks. Authorisation is the restriction or allocation of transactions (tasks) based on the needs of the user. Security authorisation ensures employees have enough access to do their job but not enough to see or do something which could pose a security risk.

This can be role based i.e. what they do, menu based i.e. what they need, and/or task based i.e. what they need to do for the job in hand.

Guidelines:
  • Access to sensitive data should be on a need-to-know basis only. User accounts should not be shared. Job roles should be defined and user authorisation should be defined and implemented to support these roles. Employees should only be able to see information that they are supposed to see.
  • Users should have documented acknowledgement of their rights and responsibilities related to access authorisations. Authorisations to perform "legally permissible functions" should be reviewed regularly and altered to ensure appropriateness.
    As employees' roles change, their privilege may also need to change. Someone who once had access to financial data may now not require access and visa versa.
  • Access control procedures should be documented, implemented and reviewed periodically. These procedures should provide effective categorisation and control of user access.
As additional capabilities and changes in functionality are added to your company's web site, overall security should be adequately controlled. User access policies and procedures should be developed and implemented to help ensure the appropriate level of access is allowed. If you want to connect more with your suppliers to share data such as inventory records, you must ensure that the appropriate controls are in place to prevent them from
getting onto your network and seeing other data such as your financial and confidential records.

8. How do I know it's them?

Authentication

Authentication is the process of ensuring that the correct user is identified as a trusted source and is authorised to conduct specific transactions. The goals of access controls are to permit access to information and technology on a need-to-know, job function-related basis, and to ensure users are not allowed to gain access to information and technology for which they are not authorised. Examples of access control include password expiration and lengths, digital certificates and biometrics.

Guidelines:

At a basic level, administrative access should be limited to the minimal amounts of users.

Everyone should not have access to everything.

While the database should log any changes made such as record deletion and modification, changes to the structure, such as additional workstations, systems, and software, should be reviewed periodically.

Password protection is something that is relevant to everyone in your organisation. If these rules are set from the beginning, this will make things much easier later on:
  • A registration and enrolment process should be in place to ensure that only authored users get access at the start.
  • All new accounts should be given initial passwords that are set by administrators. These and new passwords should expire at first use, the user can then specify their own password.
  • Passwords should be alpha numeric with at least 7 characters. Tell your new employees that this is the rule and that there are no exceptions.
  • The maximum length of time between setting a password and its expiry is 60 days.
  • Invalid user attempts shall be set to a maximum of 6.
  • Session time-outs should be implemented. Session time-outs is the process of allowing an accurate appropriate amount of time for the users to perform their transactions and receive results without compromising security. As a general guideline, a user session should timeout after approximately 15 minutes of inactivity.
  • Default accounts, such as visitor access for contract workers, should be given a good password and disabled when not in use.

<<<Previous Start of Guide Next>>>


Legal | Contact | Sitemap
National Development Plan The Programmes of Enterprise Ireland are co-funded by EU Structural Funds