Access Control Policies for Modern Businesses

Information security is not limited to preventing and mitigating cybercrime. As long as business information is handled in a digital manner, compliance will also be part of the IT security continuum, which in turn is tied to corporate governance. Compliance can be regulatory and internal; the latter often refers to establishing content access controls through a set of rules and strategies.

When we talk about content access control, we usually think about employee access to sensitive information; in some cases, however, there may be a need to set up content access policies for vendors and customers. At the most basic level of access control, digital credentials such as strong passwords can be effective, but there are other means to prevent unauthorized access situations.

The goal of access control is to match roles and responsibilities to the privileges' granted to users. It is generally recommended to formulate content access policies on a need-to-know basis. Let's say a law firm handles offshore trusts and asset protection for wealthy and high-profile clients; this is a perfect example of a situation in which you will want to limit access to certain files, folders, applications, and even drive partitions.

Information handled by your human resources department is an even more common example of why access control policies need to be enacted. This is a matter of both regulatory and internal compliance because it is related to data privacy laws. The last thing you want would be a free-for-all in which your staff members are able to see employee records filled with personal information such as home addresses, Social Security numbers, dates of birth, and compensation. The same can be said about electronic health records, which in the United States must be stored and managed in compliance with the Health Insurance Portability and Accountability Act (HIPAA).

Biometrics and two-factor authentication are emerging as the future of access control and digital credentials, but effective password management can still go a long way towards setting up access control. Passwords that are 12 characters long and include features such as symbols, numbers, and uppercase letters are virtually impervious to traditional brute force cracking methods such as dictionary attacks.