Control Access to Critical Information
You shall always grant access rights to your
information on a need-to-know basis. Otherwise
you face the following security risks:
- Unauthorised staff gain access to sensitive
information e.g. payroll records.
- Your information might be sabotaged.
- You may break the law of the Personal
Data (Privacy) Ordinance.
You can setup and apply access control policies
in your IT systems to allow only particular groups
of people to access to specific types of data.
For instance, staff in the personnel department
may access payroll information, while staff in
marketing department cannot. Access rights should
be granted on a need-to-know basis only.
- Regularly review and update your access control
- Limit the number and scope of system administrators
- Grant access rights based on an individual's
role rather than on a person-by-person basis.
- Assign each user a unique user ID.
- Educate users about the importance of information
security and always remind them of security
- Disable a user's account or remove a user's
privileges once he/she leaves the company, or
if the role of that person has changed.
- Ensure that everyone has to login and logout
when accessing your system. The system should
provide an automatic logoff feature in case
user activities are idle for a pre-selected
- Deactivate a user account if a login attempt
fails for multiple consecutive times.
- Use passwords that are difficult to guess.
Learn how to properly handle
- Consider using biometric technology for authentication
e.g., fingerprint, face recognition or smartcard
- Learn how to dispose of unwanted IT
and securely. There may be confidential
information left behind.