If your company has data that is considered private or confidential, having control over access to the data is crucial. Any company that has employees connected to the internet must have robust access control measures in place. At its simplest, access control is an individual restricting information to a set of people and under certain conditions as explained by Daniel Crowley, head of research for IBM’s X Force Red team, which focuses on data security. There are two primary components: authentication and authorization.

Authentication is the process of verifying that the person to whom you want to gain access is who they say they are. It also includes verification with a password or other credentials needed before granting access to a network, application, a system or file.

Authorization is the process of granting access to certain areas based upon specific functions in a company like engineering, marketing, HR etc. Role-based access control (RBAC) is one of the most commonly used and effective ways to limit access. This kind of access is governed by policies that determine the information required to carry out certain business functions and assigns access rights to the appropriate roles.

It is easier to manage and monitor any changes if you have a policy for access control that is uniform. It’s important to ensure that the policies are clearly communicated to staff to encourage the careful handling of sensitive information, and to establish procedures for revocation of access when employees leave the company or changes their position, or is terminated.