Ensuring an organization has the highest level of security is a daily exercise for security professionals. Some best practices for access controls and their implementation are:

• Understand the roles within the organizations—Identify users and their roles to determine which access controls to put in place. Segregating access by role ensures that someone in the customer service department, for example, does not have access to the company’s financial records.
• Understand the data that resides on the network—An administrator cannot protect what he or she does not know about this includes data and software. If a certain application needs access to specific ports, the administrator needs to ensure these ports are open but that other tools or attackers do not have access as well. Knowing where all the data resides, on which servers, and on which network is necessary to configure proper access controls. Knowledge of this data is also necessary for designing policies and limiting where the data can be stored.
• Establish a baseline—Understanding normal behavior on a network helps you understand which access controls are necessary and pinpoint when unusual activities occur.
• Monitor activities on a continuous basis—After establishing a baseline, it is important to monitor it on a regular basis. Monitoring can identify new activities that are allowed, such as use of new software, or malicious activity, such as a virus on the network.
• Create guidelines and policies that are easy to understand and implement—No one wants to follow rules that are not understandable. Security is a role that everyone within an organization must know, advocate, and adhere to daily. If employees feel that rules hinder their job performance, they look for ways around the system and cause a larger security risk.
• Manage user accounts appropriately—Removing access for a user who has left the company and not reusing user IDs once deactivated reduces security risks.
• Manage remote access capabilities—Access for business partners, customers, and remote users must be managed effectively and securely. Ensure that communications are secure and protect organization resources from those who should not have access.
• Provide strong security—Protecting assets, files, people, and applications is a best practice for any organization. The risk associated with data getting into the wrong hands is not something an organization can afford. Ensure that proper access controls are in place, make sure authentication is efficient and effective, and communicate the security message to employees.