We’ve gone through all the areas of user access security that relate not only to compliance in law, but general good security practice. The following checklist should offer you an easy guide to whether your organisation is compliant with FISMA, ISO 27001, the Data Protection Act and Lexcel. It should be remembered that even if the checklist tells you you are compliant, achieving a ‘tick’ for everything on the list is the ideal for complete best practice.

On-boarding employees

Show Research & Guidance
  • Is security training given to new employees on start?

  • Are new employees shown a security policy?

  • Are new employees asked to sign a security policy?

  • Do employee contracts include agreement to security policy?

  • Are background checks run on new employees?

Training, awareness and procedure

Show Research & Guidance
  • Is there a documented security policy?

  • Is use of secure passwords enforced?

    Strengthen network credentials far beyond native Windows Active Directory functionality with UserLock’s access restrictions and real-time monitoring.
  • Are any additional forms of access authentication (e.g. security tokens, authenticator applications) used?

    See how UserLock MFA makes access controls more robust and enhances their effectiveness by adding a second factor of authentication to verify that authenticated users are who they say they are.
  • Are employees given regular security awareness training?

    To help support IT professionals’ efforts to raise user security awareness, IS Decisions have developed ‘The Weakest Link: A User Security Game’. Free to play, it has been developed with the the input from security experts and analysts and the community on IT social network Spiceworks.
  • Are there clearly defined roles with regards to responsibility for security?

  • Does senior management bear responsibility for information security?

  • Is there a clearly defined process for reporting potential security breaches?

  • Are regular security audits or reports conducted?

    IS Decisions offer comprehensive auditing on all access events across the Windows Server based network. UserLock records, centralizes and audits all network logon events. FileAudit audits all access and access attempts to files and folders.
  • Is there a swift response process for identified potential breaches?

  • Are penalties in place for employees?

Network access

Show Research & Guidance
  • Are employees given user logins?

  • Are those logins unique IDs for each user?

    UserLock ensures that nobody can log on to the system without uniquely identifiable credentials, and also meets HIPAA requirements relating to unique user IDs.
  • Are users automatically logged off the network following a period of inactivity?

    UserLock automatically logs off a session after a specific length of idle time to prevent unauthorised users accessing information from unattended workstations. What’s more UserLock can set authorised timeframes for certain users’ access and force workstations to log off outside these hours.
  • Are concurrent logins restricted, meaning users cannot login from more than one device?

    With no way to control concurrent login in Windows native functionality, UserLock allows organizations to prevent or limit concurrent and multiple logins.
  • Are users restricted from sharing logins?

    The need for technical controls to stop users sharing credentials: How UserLock can eliminate the issue of network login sharing.
  • Are unique user IDs also used for remote network access?

  • Is access to the network monitored?

    Monitor in real-time all users logon and logoff activity across Windows Server Networks with UserLock. The new risk indicator helps identify suspicious access behavior at a glance.
  • Can actions on the network be attributed to individual users?

    UserLock helps verify all user’s identity to ensure access to critical assets is attributed to individual employees, making users accountable for any activity (malicious or not).
  • Is access to network limited to specific locations (specific workstations, departments)?

    Control, restrict and enforce where users may logon. UserLock goes beyond native Windows controls and restrict users and groups to workstation or device, IP range, department, floor or building.
  • Is access to network restricted to specific times? (i.e. business hours)

    UserLock controls the time when authenticated users can logon in a Windows domain. Enforce by group and force logoff to ensure manageable login controls.

Data access and necessity

Show Research & Guidance
  • Are levels of user network access attributed according to the necessities of roles?

    Set and enforce granular access rules to restrict and control employees access to the network (and the data within) across each session type (including Wi-Fi and VPN). UserLock helps secure access for a remote and mobile workforce.
  • Are specific files or folders restricted according to job role?

  • Are specific actions (copying, moving, deleting) on files and folders monitored?

    FileAudit enables IT professionals to proactively monitor access to company sensitive files and folders on Windows systems and in the cloud in real-time.
  • Is access to specific files and/or folders monitored?

    FileAudit constantly tracks and records read/write/delete access events (or access attempts), file ownership changes and NTFS permissions and properties, in real time. So IT or management can immediately address any inappropriate access events.

Moving jobs or roles

Show Research & Guidance
  • Is there a process in place for the management of temporary access to the network?

    UserLock strengthens user access control policy by enabling administrators to securely manage temporary changes to users’ network access rights.
  • Is there a process in place for the review of network access when employees change roles?

    Centralized access control with UserLock means network restrictions can be easily set and changed by user, user group or organizational unit.
  • Is there a process in place for when employees leave the organisation?

  • Is user access to the network deactivated when employees leave the organisation?

  • Is there a formal de-registration process in place for employees that leave the organisation?