We’ve gone through all the areas of user access security that relate not only to compliance in law, but general good security practice. The following checklist should offer you an easy guide to whether your organisation is compliant with FISMA, ISO 27001, the Data Protection Act and Lexcel. It should be remembered that even if the checklist tells you you are compliant, achieving a ‘tick’ for everything on the list is the ideal for complete best practice.
On-boarding employees
Show Research & Guidance
-
Is security training given to new employees on start?
-
Are new employees shown a security policy?
-
Are new employees asked to sign a security policy?
-
Do employee contracts include agreement to security policy?
-
Are background checks run on new employees?
Training, awareness and procedure
Show Research & Guidance
-
Is there a documented security policy?
-
Is use of secure passwords enforced?
-
Are any additional forms of access authentication (e.g. security tokens, authenticator applications) used?
See how
UserLock MFA makes access controls more robust and enhances their effectiveness by adding a second factor of authentication to verify that authenticated users are who they say they are.
-
Are employees given regular security awareness training?
To help support IT professionals’ efforts to raise user security awareness, IS Decisions have developed
‘The Weakest Link: A User Security Game’. Free to play, it has been developed with the the input from security experts and analysts and the community on IT social network Spiceworks.
-
Are there clearly defined roles with regards to responsibility for security?
-
Does senior management bear responsibility for information security?
-
Is there a clearly defined process for reporting potential security breaches?
-
Are regular security audits or reports conducted?
-
Is there a swift response process for identified potential breaches?
-
Are penalties in place for employees?
Network access
Show Research & Guidance
-
Are employees given user logins?
-
Are those logins unique IDs for each user?
-
Are users automatically logged off the network following a period of inactivity?
UserLock automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised timeframes for certain users’ access and force workstations to log off outside these hours.
-
Are concurrent logins restricted, meaning users cannot login from more than one device?
-
Are users restricted from sharing logins?
-
Are unique user IDs also used for remote network access?
-
Is access to the network monitored?
-
Can actions on the network be attributed to individual users?
UserLock helps verify all user’s identity to ensure access to critical assets is attributed to individual employees, making
users accountable for any activity (malicious or not).
-
Is access to network limited to specific locations (specific workstations, departments)?
-
Is access to network restricted to specific times? (i.e. business hours)
Data access and necessity
Show Research & Guidance
-
Are levels of user network access attributed according to the necessities of roles?
Set and enforce granular access rules to restrict and control employees access to the network (and the data within) across each session type (
including Wi-Fi and VPN). UserLock helps secure access for a remote and mobile workforce.
-
Are specific files or folders restricted according to job role?
-
Are specific actions (copying, moving, deleting) on files and folders monitored?
-
Is access to specific files and/or folders monitored?
FileAudit constantly tracks and records read/write/delete access events (or access attempts), file ownership changes and
NTFS permissions and properties,
in real time. So IT or management can immediately address any inappropriate access events.
Moving jobs or roles
Show Research & Guidance
-
Is there a process in place for the management of temporary access to the network?
-
Is there a process in place for the review of network access when employees change roles?
Centralized access control with UserLock means network restrictions can be easily set and changed by user, user group or organizational unit.
-
Is there a process in place for when employees leave the organisation?
-
Is user access to the network deactivated when employees leave the organisation?
-
Is there a formal de-registration process in place for employees that leave the organisation?