Control Access to Critical Information

You shall always grant access rights to your information on a need-to-know basis. Otherwise you face the following security risks:

Unauthorised staff gain access to sensitive information e.g. payroll records.

Your information might be sabotaged.

You may break the law of the Personal Data (Privacy) Ordinance".

Access control

You can setup and apply access control policies in your IT systems to allow only particular groups of people to access to specific types of data. For instance, staff in the personnel department may access payroll information, while staff in marketing department cannot. Access rights should be granted on a need-to-know basis only.

Security Tips

Regularly review and update your access control policy.

Limit the number and scope of system administrators and users.

Grant access rights based on an individual's role rather than on a person-by-person basis.

Assign each user a unique user ID.

Educate users about the importance of information security and always remind them of security best practices.

Disable a user's account or remove a user's privileges once he/she leaves the company, or if the role of that person has changed.

Ensure that everyone has to login and logout when accessing your system. The system should provide an automatic logoff feature in case user activities are idle for a pre-selected time period.

Deactivate a user account if a login attempt fails for multiple consecutive times.

Use that are difficult to guess. Learn how to properly handle passwords.

Consider using biometric technology for e.g., fingerprint, face recognition or smartcard technology.

Learn how to dispose of unwanted IT equipment safely and securely. There may be confidential information left behind.