Creating a complete inventory of IT assets is one of the first steps in implementing access controls. Which servers, routers, firewalls, workstations, databases, and so on are on the network, and where are they located? What are the software, folders, and files that are on the servers and workstations? What data is in the database? Once you determine the asset inventory, it is important to determine the risk associated with the assets and data. You can determine risk by evaluating the value of the data and the cost to the organization if the data were exposed or had to be replaced.

The access control system you implement should be based on the risk against the data and network access. Understanding how the staff and assets are distributed within the organization will help determine the controls needed for accessing high-, medium-, and low-risk assets. For example, if there is high risk associated with specific data, additional access controls may need to be placed on the data. If you have a large staff, it may be beneficial to implement a single sign-on tool. This enables you to centralize management of assets and the access granted to them.

Network administrators must always be aware of which assets are available to be accessed and where these assets are. For example, if human resources (HR) information is available on a network that has been segmented for finance, a security breach may occur. Administrators must ensure that the network and computer resources support the staff and staffing requirements. Administrators must ensure the tools that employees use are available when employees need them.

You cannot secure users, objects, and tools if you don’t know they exist. Unencrypted files on a server, applications on computer resources that open ports on the network, and servers that maintain intellectual property are targets for attack. Large infrastructures can be difficult for an administrator to manage. In addition, if a server that holds quarterly confidential financials is available only during normal business hours, an employee might copy or e-mail these files to work on them during off hours. This poses a security risk. E-mailing the document via an unencrypted connection provides an opportunity for an attacker to see these data. Leaving confidential data on a laptop poses a risk if the laptop is stolen.

It is important to have the tools available that allow an administrator to manage any size staff and assets. Large organizations tend to experience a flux of employees due to hiring, terminations, and resignations. Administrators need to be able to add and remove employees and groups in a matter of hours. Ensuring that authentication and authorizations systems are able to handle a large-scale employee base is important when designing and implementing an organization’s infrastructure.