RB Consultancy Logo
Call NOW

Cyber Essentials: User Access Control

Introduction

User access control is a fundamental aspect of Cyber Essentials, ensuring that only authorised individuals have access to sensitive systems and data. Effective access control measures significantly reduce the risk of data breaches and cyber attacks by limiting unnecessary exposure to critical information. Here, we explore the importance of user access control, why it’s important, Cyber Essentials controls, and some best practices.

 

Why User Access Control is Important

Unrestricted access to systems and data increases the likelihood of security breaches, accidental or malicious – cyber attackers often exploit weak or mismanaged access controls to gain entry into systems. A well-structured approach to user access management can mitigate these risks and enhance overall cybersecurity resilience.

Every (user) account typically provides access to devices, applications, and data. By ensuring only authorised individuals have accounts that can access what’s required for their role, the risk of information being stolen, viewed, or damage is reduced. 

Accounts with (administrator) special privileges have further access. If these accounts are compromised, an attacker usually has greater ability to access information, may be able to cause widespread disruption to business operations, and gain access to other devices.

 

User Access Control in Cyber Essentials

To meet Cyber Essentials certification requirements, organisations must:

  • Have a process to create and approve user accounts.
  • Authenticate users with unique credentials, before granting access to applications or devices.  
  • Remove or disable user accounts when they’re no longer required, for example when a user leaves an organisation.
  • Implement multi-factor authentication, where available – especially for cloud services.  
  • Use separate accounts to perform administrative activities, no web browsing, email, or other standard user activities. 
  • Remove or disable special access privileges when no longer required, such as when a staff member changes role.

 

When passwords are used to authenticate users, protective measures must be put in place:

  • Protecting passwords from brute force.
  • Using technical controls to manage the quality of passwords.
  • Supporting users to choose unique passwords.

 

Considerations and Key Notes

When considering user access control for your organisation:

  • Have a documented process for user setup, deletion, moves/changes, and allocation of administrator privileges, with approval by appropriate individual(s) such as leadership.
  • Ensure users only have access to the systems and data that’s required for their role.
  • Have separate accounts for administrator duties and standard user duties – including cloud services – and regularly review who has administrator access.
  • Provide training, process, and/or policy to ensure standard user activity (such as web browsing and email) is not being carried out while using administrator privileges. 
  • Have a password policy in place to support minimum character length, prompt changing of passwords if they’re suspected as being compromised, and no maximum character length. 
  • Use multi-factor authentication for all cloud services and administrator privileges. 

 

Key Notes

  • Use multi-factor authentication where possible, to reduce risk. 
  • Avoid overly complex passwords and regular password expiry – to support users.
  • Leverage NCSC guidance for creating unique password by using three random words.

 

Example Scenario

Microsoft 365 for Business is being used for organisational data storage and creation

  • For this environment, focus is on Microsoft 365 for Business and user access control.
  • Create and follow a procedure for setting up a standard user, leveraging MFA.
  • Ensure a separate account is in place for any administrative/special access privileges and that the standard user only has access to data required for their role.
  • Provide guidance to support the creation of unique passwords by referencing the use of NCSC’s three random words and suggest password management through the appropriate tools.
  • Have a policy in place to support password length and changes in the event of potential password compromise
  • Ensure processes are followed when the user changes roles and/or leaves the business – that relates to a review and potential change of the user account.

 

Tips and Recommendations

  1. Ensuring cloud services have MFA in place for users and administrators is crucial. 
  2. Having training, processes, and policies to ensure administrator accounts are used for specific purposes and not for email access/web browsing is also key – applying that to managed service providers is expected.
  3. Providing team members with support in the use of safe/secure passwords can be achieved through basic training and education. 
  4. Using a reputable password manager (vault) can help keep passwords safe.
  5. Guidance and support is readily available from an NCSC Cyber Advisor (such as RB Consultancy Ltd).

 

For more detailed guidance, review the IT Requirement for Infrastructure document and/or visit the IASME knowledge hub for Cyber Essentials.

 

How We Help

At RB Consultancy Ltd, we support organisations leveraging user access controls to meet Cyber Essentials and Cyber Essentials Plus requirements:

  • We explain the importance of user access controls.
  • We help ensure users are set up securely. 
  • We explain why the Cyber Essentials questions are being asked and how they intend to protect organisations in different ways..
  • We ensure user access control settings and processes align with Cyber Essentials guidelines.
  • We assess and issue organisations with Cyber Essentials and Cyber Essentials Plus certifications.

 

Conclusion

User access controls are a critical component of cyber security and Cyber Essentials certification, helping to protect your business from cyber threats. Insecure user access control can leave your organisation vulnerable. By implementing best practices and ensuring compliance with Cyber Essentials technical controls, organisations can significantly reduce their cyber risk. If you need any assistance with user access control settings, or Cyber Essentials / Cyber Essentials Plus certification, please contact us for support.

Cyber Essentials: User Access Control

Tagged , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

RB Consultancy

Company Details

  • Registered address: 20 - 22 Wenlock Road, London, England, N1 7GU
  • Trading address: Pioneer House, Pioneer Business Park, North Road, Ellesmere Port, Cheshire, CH65 1AD
  • Company Number: 14677066
  • VAT Registration Number: 479590726

Useful Links

Services

Contact

Cyber Essentials
Copyright © 2024 – All rights reserved.