We’ve gone through all the areas of user access security that relate not only to compliance in finance, but general good security practice. The following checklist should offer you an easy guide to whether your organization is compliant with GLBA, SOX, PCI DSS and the FCA. It should be remembered that even if the checklist tells you that you are compliant, achieving a “tick” for everything on the list is the ideal for complete best practice.
On-boarding employees
Show Research & Guidance
-
Is security training given to new employees on start?
-
Are new employees shown a security policy?
-
Are new employees asked to sign a security policy?
-
Do employee contracts include agreement to security policy?
-
Are background checks run on new employees?
Training, awareness and procedure
Show Research & Guidance
-
Is there a documented security policy?
-
Is use of secure passwords enforced?
-
Are employees given regular security awareness training?
To help support IT professionals’ efforts to raise user security awareness, IS Decisions have developed
‘The Weakest Link: A User Security Game’. Free to play, it has been developed with the the input from security experts and analysts and the community on IT social network Spiceworks.
-
Are there clearly defined roles with regards to responsibility for security?
-
Does senior management bear responsibility for information security?
-
Is there a clearly defined process for reporting potential security breaches?
-
Are regular security audits or reports conducted?
-
Is there a swift response process for identified potential breaches?
-
Are penalties in place for employees?
Network access
Show Research & Guidance
-
Are employees given user logins?
-
Are those logins unique IDs for each user?
-
Are any additional forms of access authentication (e.g. security tokens, authentication apps, etc.) used?
See how
UserLock MFA makes access controls more robust and enhances their effectiveness by adding a second factor of authentication to verify that authenticated users are who they say they are.
-
Are users automatically logged off the network following a period of inactivity?
-
Are concurrent logins restricted, meaning users cannot login from more than one device?
-
Are users restricted from sharing logins?
-
Are unique user IDs also used for remote network access?
-
Is access to the network monitored?
-
Can actions on the network be attributed to individual users?
UserLock helps verify all user’s identity to ensure access to critical assets is attributed to individual employees, making
users accountable for any activity (malicious or not).
-
Is access to network limited to specific locations (specific workstations, departments)?
-
Is access to network restricted to specific times? (i.e. business hours)
Data access and necessity
Show Research & Guidance
-
Are levels of user network access attributed according to the necessities of roles?
Set and enforce granular access rules to restrict and control employees access to the network (and the data within) across each session type (
including Wi-Fi and VPN). UserLock helps secure access for a remote and mobile workforce.
-
Are specific files or folders restricted according to job role?
-
Are specific actions (copying, moving, deleting) on files and folders monitored?
-
Is access to specific files and/or folders monitored?
FileAudit constantly examines and records read/write/delete accesses (or access attempts), file ownership changes and permission modifications –
in real time - so IT or management can immediately address any inappropriate accesses.
Moving jobs or roles
Show Research & Guidance
-
Is there a process in place for the management of temporary access to the network?
-
Is there a process in place for the review of network access when employees change roles?
Centralized access control with UserLock means network restrictions can be easily set and changed by user, user group or organizational unit.
-
Is there a process in place for when employees leave the organization?
-
Is user access to the network deactivated when employees leave the organization?
-
Is there a formal de-registration process in place for employees that leave the organization?