Cyber Essentials Access Controls
The Cyber Essentials access controls ensures that only authorized individuals have user accounts, and that they are granted only as much access as they need to perform their roles. These controls significantly reduce the risk of information being stolen or damaged.
Cyber Essentials - Access Control Requirements
User Account Management
User accounts have access to your organization’s data and services. It is therefore important that user accounts and their privileges’ are controlled and that the identity of all connecting users are properly verified using strong authentication methods.
Privileged and Administrative Accounts
Privileged and administrative accounts have enhanced access to devices, applications and information.
As malicious actors can exploit the greater freedoms in privileged and administrative accounts to facilitate large scale corruption of information, disruption to business processes and unauthorized access to other devices in the organization, it is crucial that privileged accounts are protected and controlled.
Cyber Essentials – Access Control Requirements
The cyber essentials certification requires organisations to :
• Have a user account creation and approval process.
• Authenticate users before granting access to applications or devices, using unique credentials.
• Remove or disable user accounts when no longer required (i.e. when a user leaves the organisation or after a defined period of account inactivity, for example).
• Implement two-factor authentication where available.
• Use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
• Remove or disable special access privileges when no longer required (when a member of staff changes role, for example).