We put the IT in city®

CitySmart Blog

Thursday, October 27, 2016
Brandon Bell, Network Infrastructure Consultant

Brandon BellWe’ve recently talked about many kinds of security—physical, wireless, and network. Now we come to “logical access security.” What does that even mean? It’s a technical term that’s actually quite simple to define.

With physical security, you’re physically preventing people from accessing equipment that stores sensitive information. With logical security, you’re electronically preventing people from accessing sensitive information. In other words, logical access security is all about the security of information accessed 100% in the digital “cyberworld.”

Unlike physical security, you can’t lock bits and bytes behind doors. So how do you lock your electronic information down? Here are four important areas where you can start.

1. Setting a Strong Password Policy

Most people access electronic information through passwords. Just think about what you access every day with a password: your email, your software applications, or your online website applications. Unfortunately, many organizations have extremely weak password policies that leave the door open to hackers and unauthorized access.

You need a password policy that includes:

  • Strong password requirements: Studies show that many people at organizations still use simple, easy-to-hack passwords. You need to use long or complex passwords consisting of a mix of letters, numbers, and special characters.
  • Regularly changing passwords. People shouldn’t use the same password for years and years. Set a policy that forces users to change their password on a semi-regular basis (such as once a quarter). Also make sure that users create new passwords each time—instead of just flipping back and forth between two passwords.
  • Locking out users when they (or someone) makes multiple, incorrect log-in attempts. This is to protect a user’s account in case a hacker attempts to crack a password. For example, after three failed log-in attempts an authorized user may get locked out for a period of time or even be required to contact an administrator before they are unlocked.

2. Monitoring and Controlling User Accounts

At the IT administration level, you need experienced internal staff or a vendor to manage and monitor user accounts. It’s at the administrative level that IT professionals—following your city’s policies—will assign new user accounts, make changes to user accounts (such as assigning new passwords or updating access privileges), delete user accounts, and watch for any unauthorized user access. If no one performs this monitoring and maintenance on a regular basis, then you risk unauthorized users (such as ex-employees) using your systems and accessing sensitive information.

3. Requiring Timeouts

No, we don’t mean making an employee sit in the corner! Timeouts are when a computer gets locked for a period of time (such as 15 minutes) as a result of policies that protect against unauthorized access (such as hackers). After the period expires, the user can then attempt to log back into their computer. This requirement especially helps with computer security in an office where someone could easily sit at another person’s computer and steal information. With a timeout policy, you can make sure computers are more inaccessible to unauthorized people regardless of whether those people are physically present or somewhere across the globe.

4. Logging and tracking user activity.

We’ve written more extensively about logging in the past, so we’ll just summarize a few high points here. Basically, logging is a technical activity that IT professionals conduct to both diagnose issues and document who accesses your data. For security, logging is important to track things such as suspicious web surfing activity or users remotely accessing your data. Without logging, you may not know if unauthorized users are viewing or stealing sensitive information until it’s too late.

As you can see, logical access security is...well, quite logical. We’re sure Star Trek’s Dr. Spock would agree! By locking down your electronic information as well as your physical technology equipment, you mitigate the risk of hacking attempts, data breaches, or stolen information.

Questions about your logical access security policies? Reach out to us today.