A data access right (DAR) is a permission that has been granted that allows a person or computer program to locate and read digital information at rest. Digital access rights play and important role in information security and compliance.
In InfoSec, for example, DARs granted to clients, servers and folders within a system can help administrators differentiate authorized data access from unauthorized access. In compliance, DARs are often granted to data subjects by law. For example, under the General Data Protection Regulation (GDPR) in the European Union, a data subject has the right to access their own personal data and request a correction or erasure.
To avoid losing or corrupting corporate data, organizations should grant only the necessary required access to each user, a concept known as the principle of least privilege (POLP). To ensure confidentiality, information should be used by authorized personnel only. To maintain data integrity, data should not be modified accidentally or voluntarily. Additionally, to provide data availability, the system should operate within the required levels of service.
Data access rights best practices
To keep data access control issues from arising, the following practices are recommended:
- Company security policies should specify what employees can and cannot do on their computers. For example, will individual users have permission to allow personal emails, file downloads, software installation, information ownership and authorized or unauthorized website access.
- Data should be classified based on its degree of confidentiality (and the risks associated with being leaked) and criticality (the integrity and the risk of alteration or destruction).
- Control to data should be established using required authorization or authentication and by employing traceability (which consists of tracking access to sensitive IT resources).
- Regular detailed audits should be performed to help set up controls surrounding identity management, privileged users and access to resources.
- The rights of users should be limited. For example, Windows 10 offers standard and administrator accounts, but most users should just have standard accounts to complete their daily tasks.