CSW S1, E30 - Controlling Employee Access on a Need to Know Basis

Fred Cobb – CISO and VP of Services, InfoSystems

Rob Ashcraft – Sr. Cyber Security Strategist

This episode of the Cybersecurity Weekly Podcast is Part 14 of our series on the Center for Internet Security Top 20 Controls. Here's a quick list of where we're at:

Basic CIS Controls 1-6
Foundational CIS Controls
7) Email and Web Browser Protections
8) Malware Defenses
9) Limitation and Control of Network Ports, Protocols, and Services
10) Data Recovery Capability
11) Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12) Boundary Defense
13) Data Protection
14) Controlled Access Based on the "Need to Know"

In this episode, Fred and Rob discuss the eighth Foundational CIS Control, Controlled Access Based on the Need to Know. This control is used to track, control, prevent, and correct secure access to sensitive systems and data. Controlled Access Based on the Need to Know is most impactful when a company has taken action against the first 13 CIS Controls (following the CIS Top 20 Cybersecurity Controls).

You've heard the saying, "That's on a need to know basis". Most likely in a popular TV show or movie. This saying isn't just for the big screen though. It's necessary that you utilize this mindset to aid in the protection of your organizations' most critical assets (your information, resources, and systems for example). Just like you'd protect access of your most prized possessions to a limited few, you need to protect access of your organization's most prized assets to a limited few. Because the more people that have access, the more vulnerable those assets become.

Simple steps you can take today to protect your organization's assets include but aren't limited to:

- Limiting access to those with the "need" and/or "right" to access the information;
- Classifying your information according to importance (listen to Episode 29 here for more on this topic); and
- Encrypt all the communication of sensitive info over networks that aren't fully trustworthy.

You can implement these CIS controls yourself, but it may cost you a substantial amount of time, money, and effort. There are Cybersecurity experts who specialize in getting these controls set up for hundreds of organizations.

Listen to the full episode to learn how your business can begin following the Center for Internet Security Top 20 Controls and make your company more secure.

More Information
We'd love to hear your feedback. If you have any questions, you can text us at 423-697-9528 or email marketing@infosystems.biz.

This episode discusses Control Ten of the CIS (Center for Internet Security) "Top 20 Controls." The Top 20 Controls are a set of prioritized best practices designed to help organizations protect themselves from cyber-attacks. It is a framework for every organization, whether you have a full department of IT support or don't have security programs or measures in place. You can learn more about the 20 CIS Controls here.

See the break-down of these CIS Controls' Sub-Controls here.

Discover how other organizations are using these controls here.