Given the recent news events highlighting the potential risk for and consequences of information leaks, you may be re-evaluating the policies that govern access to your organization’s internal information technology. Here are a few strategies for planning and implementing internal IT controls.
Access controls. Internal IT access control begins at the building’s front door. Many office buildings restrict access after normal business hours. Without special key cards, doors will not open and elevators will not operate. If feasible, consider using a key card access system; limit after-hours access to essential personnel. Also consider installing cameras to monitor around-the-clock access to sensitive areas such as computer network facilities, and installing alarms that trigger when unauthorized access is detected. Workers should wear photo ID badges, and visitors should be escorted while in the building.
Your organization depends on people with access to important information like computers, software, and documents. Although a few key employees may require unrestricted access to the organization’s IT assets, the majority of workers will not. Evaluate each worker’s role and restrict access accordingly. Every worker with access to a company computer should log in with a unique user account requiring strong password authentication. Workers should not share their user accounts or divulge passwords, or be permitted to install unauthorized software.
Revision controls. Once you’ve allowed workers to access IT information, you must control what they can do with it. Instead of permitting workers to store work files on computer disk drives, use revision control software installed on the organization’s computer network. Revision control software effectively manages and tracks changes to documents, software code, and other files. Revision control software is essential for teams of workers collaborating on projects. It records every change to every file, including who made the change and when. It keeps track of all versions of a file and can compare, restore, and merge changes. Revision control software can deny access to files or allow read-only access.
Disaster preparation and recovery. You can’t prevent every loss-of-data disaster, but you can prepare for recovery. Regularly back up and replicate all servers and data to offsite locations. Protect your internal IT from external threats by installing firewall and antivirus software. Employees connecting to an internal computer from outside the office should use a virtual private network; VPNs employ encryption to provide secure access to a remote computer over the Internet.