CyberSec Update #10 – Access control and NIS2
Access control in the context of NIS2 implementation: the principle of least privilege, account management, authentication and system functionality.
How to design effective access control under NIS2
The countdown to the entry into force of the amendment to the Act on the National Cybersecurity System (KSC) implementing the NIS2 Directive in Poland has begun. During this time, we are continuing our #NIS2 series with Andrzej Broniewski, Jarosław Stras and Przemysław Strzępek. We’re working through NIS2 as part of CyberSec Update No. 10. This time, in preparation for Easter, we take a look at a topic that is key to organisational security – access control.
In cybersecurity, the opposite rule applies to that at the holiday table – we leave no room for uninvited guests. Effective access management is one of the foundations of a secure working environment and one of the essential elements required by NIS2.
Our first line of defence is to restrict access to information only to those who actually need to know it, and only to the extent necessary for their role in the organisation and their work on a given project. However, this principle of least privilege requires an appropriate process – it is necessary to have full control over how privileges are granted, as well as to record who was granted access, when and to what extent. A properly designed user account management process is the basis for NIS2 compliance. In addition, it will be necessary to separate responsibilities appropriately so that no single person can independently perform actions that could compromise security (e.g., one person makes a change, another approves it).
Another key element of access control is the implementation of consistent identification and authentication policies. This includes, among other things, enforcing adequate password strength, regular password changes, and the requirement for multi-factor authentication, at least in high-risk systems and operations.
However, it should not be forgotten that even the best security solutions should remain functional. Overly stringent and impractical requirements can have the opposite effect to that intended – users begin to circumvent or ignore them. Therefore, when designing an Information Security Management System in an organisation, for example as part of the implementation of NIS2, it is worth avoiding typical cybersecurity pitfalls that can weaken the actual level of protection.