Controlled access to data is essential for any business that has sensitive or proprietary information. Anyone who has employees that connect to the internet should have strong access control measures in place. At its most basic, access control is a selective restriction of information to certain people and under certain conditions according to Daniel Crowley, head of research for IBM’s X-Force Red team, which focuses on data security. There are two key components: authentication and authorization.

Authentication is the process of verifying that the person you want to gain access to is who they say they are. It also includes verification with a password or other credentials needed before granting access to a network, application, system or file.

Authorization is the act of granting access based on a particular job in the company, such as marketing, HR, or engineering. The most effective and widely used method to restrict access is to use access control based on role. This kind of access is controlled by policies that identify the information needed to carry out certain business functions and assigns access rights to the appropriate roles.

If you have a standard access control policy in place, it can be easier to manage and monitor changes as they happen. It is essential to ensure that policies are clearly communicated to staff to ensure the proper handling of sensitive information, as well as to have procedures for revocation of access when an employee leaves the company, changes their role or is terminated.