Limit access to data and services
Access to information, systems and locations is necessary to do your job. To minimise the risk of accidents and misuse, it is important that your employees and partners outside your organisation only have access needed for their work and the period for which access is required. So, only give your people access to information, systems and locations they need.
Animation
Watch this short animation made by DTC about limiting access. The video comes with English subtitles. You can download the media files here:
Why this basic principle?
Access management must be properly organised. This reduces the risk of user errors. It also ensures that malicious parties can do less damage if they gain access. They will only be able to access what is relevant for the role with which they logged in. Access for service accounts, machine accounts, and functional accounts must also be limited to what is necessary.
What should you do?
A password protects your business's fixed and mobile devices, as well as your business data in the cloud, wireless networks, email accounts, and social media accounts. Most passwords consist of a combination of letters and numbers, but there are other options to log in, such as a PIN code, Touch ID, or security pattern. You could also consider using passkeys (in Dutch).
A password alone is usually not enough. Access to banking, company data in the cloud, or the business administration on the company network require extra security. Check whether extra security is possible and set it up. Consider multi-factor authentication (MFA) or two-factor authentication (2FA), or logging in with a token.
Define for each employee which systems and data they should have access to in order to do their job. A rights matrix (in Dutch) is a useful tool for this.
Ensure that access rights are adjusted when someone (internal and/or external) takes on a new role or leaves the company. This is particularly important in case of the sudden (involuntary) departure of a system administrator. The same applies if you are working with a new supplier or accountant, for example. Use this handy template for new and departing employees (in Dutch).
Make sure you have processes for the hiring, departure, and internal transfer (in Dutch) of employees. Only give new employees access to the resources they need. This also applies to physical spaces such as server rooms or areas where sensitive information is stored. Delete unused accounts. Deactivate service accounts and only activate them when maintenance is taking place.
Ensure that access to data and services is personal, with each employee having their own user account. Avoid generic accounts that are shared between multiple employees or multiple employees of a supplier, for example.
Ensure that systems lock automatically after a few minutes so that they cannot be accessed by unauthorised persons. Also make agreements with employees that they lock their systems themselves when they leave their workstations.
Read more about the 5 basic principles of running a secure digital business.