Authorisation and authentication

Who should be authorised?

Your staff will require access to different types of information and data. This may sometimes apply to contractors working within your organisation.

Authorisation refers to the granting of access rights to data, software and communications based on the allocation of tasks to the users to allow them to perform their job.

For example, all staff may need to access word processing software, but are only granted rights to directories containing files that are directly relevant to them. The same applies to spreadsheet software. All users may need access to the software but only certain people can have access to the organisation’s financial records created using that software. In this case, access to the software is unrestricted, but access to files containing data is provided on a restricted basis.

What to do

• Access to sensitive or confidential data (personnel files, financial records, customer details, sales figures, planning documents) should be on a need-to-know basis only.
• All users must have individual accounts (an account is simply all the access rights a user is entitled to) and never allow accounts to be shared.
• Job roles must be clearly defined and user accounts set up to support these roles.
• Make sure that all users know and understand their rights and responsibilities in relation to access. This should include a clear, simple policy on acceptable use of office systems, including hardware and software, email and internet, and printers and scanners.
• As staff roles change, their access privileges may need to change, so authorisations should be reviewed regularly.
• Access control procedures should be reviewed periodically.
• As additional functions, features and capabilities are added to your systems, overall security should be adequately controlled. Develop clear procedures on user access to make sure that an appropriate level of access is allowed.

Authentication

Authentication is the automated process of identifying a user and ensuring that the correct user is allowed to conduct specific jobs or transactions on your office systems.

Make sure that:

access to information and systems is limited to the minimal number of users

your system logs record who logs on, when, where and for how long, and track any deletions or modifications, changes to file or database structure

additional workstations, systems and software are reviewed periodically.

Password protection

Passwords are a form of authentication. They can be the first line of defence against unauthorised access.

All new accounts should be given initial passwords that are set by administrators. Once in the system new users can specify their own password, following a set of password definition guidelines.

Develop a password system for your organisation. You should:

• avoid passwords that would be readily identifiable or easy for anyone to guess (such as family names, birth dates)
• use a mix of upper and lower case alpha, numeric and special characters
• memorise your passwords and make sure that you do not write down your password or store it in easy to find places or file on or near your computer
• avoid using dictionary or foreign words because hackers have many tools, such as dictionary programs, to assist them. A hacker will launch a dictionary attack by passing every word in a dictionary (which can contain foreign languages as well as the entire English language) to a login program in the hope that it will eventually match the correct password
• never share your password with anyone
• never send your password via email
• change your passwords regularly, at least every three months.
• use a completely new password every time you change your password and never reuse old passwords

For more information on authentication issues, see the Australian Government’s Trusting the Internet fact sheet – How do I choose the best authentication system? [RTF, 119 KB]