User-level access rights offer a way to further protect client data. These access rights are permission settings, which can be turned on or off, to allow individuals or groups of people access to particular data sets. Restricting access goes beyond employee trust and is part of limiting exposure, where fewer individuals who have access to particular data reduces the likelihood of unauthorized access.
For highly sensitive data, either client-related, financial or generally confidential, firms should take extra care to restrict access where possible.
Allow-by-default is the setting most firms tend to be set to automatically. Instead, firms should look to use a deny-by-default setting, where access is only granted when it’s necessary. This deny-by-default is also known as the least privilege model.
The least privilege model has become widely adopted, with the Association of Corporate Counsel (ACC) recommending this method as part of its best practices guidelines Under this model, users should be given the lowest level access they need in order to perform their job duties. There should also be access controls to allow for immediate termination of access rights in the event of an employment status change.
With many programs, granting access is a much less cumbersome process than trying to fix a data breach. Individual programs can offer access management dashboards and access management solutions can be used network-wide to handle firm hosted data.