In an organization, you need to edit files and documents (texts, audio, video, etc.) on a daily basis. To make collaborative work easier, it’s highly likely that most of your operations are on cloud computing services or internal servers.
What are the three levels of access?
Regardless of your organizational structure, you need to grant the appropriate access to the right people. In cybersecurity, besides denying access, there are three levels of access. They are:
- view a document
- comment on a document
- edit a document.
Why define the roles?
Every person working with your organization (such as regular staff, interns, freelancers, external consultants, artists, clients) requires specific types of access to carry out their daily tasks.
It’s generally best to establish an access policy based on the different roles and positions. People can come and go, but every role will come with the same level of access to information by default. According to this logic, any other specific need (for example, an intern who requires access to the financial reports in order to carry out a task) will be treated as an exception. In this way, you will maintain better control of the authorizations granted to your team as well as reduce the risks of security incidents!
Let’s consider a concrete example: Simone, who has just been hired in administration, will need to have access to employee contracts. However, the communication intern responsible for social media should not be authorized to consult these documents.
You know the roles in your organization and the information to which they need access better than we do. Maybe you’re already organizing everything instinctively. If that’s the case, BRAVO! It will now be easy to formalize the policy so that every new team member has the accesses associated with their role right from the start.
We will help you establish an access management policy in the Access Policy section.
How to manage employee turnover?
We know that employee turnover in an organization can be significant. This is why every good policy includes a section dedicated to the “revocation” and “update” of access.
When a staff member leaves or when you stop working with a client or freelancer, it is imperative that all access is revoked. Some system privileges groups can help to facilitate this task.
In any event, with a well-established policy, you can also do it manually. Of course, it takes longer and you need to be thorough, but you will achieve the same results!
Employees and contractors can also be promoted or change roles in a company. When this happens, you need to ensure that the employee has the authorizations necessary for their new mandate and that their former access—which is no longer useful—is revoked.
With this in mind, it’s a good idea to revise and update the list of roles and authorizations regularly (such as twice a year).
Psst! Business email addresses also need to be revoked when someone leaves. They are a gateway that is often neglected. We will talk about this in more detail in the Email section.
Access without authentication
All your connected accounts such as Google (Gmail), Outlook, or Apple are potential gateways to the extent that they allow access to many services without authentication. You need to keep this in mind when considering access and sensitive data.
We recommend that you don’t log in to third-party websites using this type of connection. It’s better to enter your email directly and create a passphrase than to connect with Google or Facebook.
Along the same lines, always uncheck the “Remember me” tab. We want to avoid that someone other than you could connect to a site without knowing your identifiers.
- Define the roles and positions in your organization.
- Identify the authorizations (view, comment, edit) necessary for the tasks associated with each role and position.
- Keep track of any exceptions granted.
- Formalize a policy to facilitate employee turnover.
- Revoke the access when a person leaves the organization or changes positions.