NJ SIM Standardizes Cybersecurity Practices: A User's Access and Privileges

New Jersey is becoming more committed to protecting companies and their use of technology in storing data. NJ SIM, a document that standardizes laws regarding implementation of cybersecurity practices, has aligned with the CIS Controls. By doing so, they have provided a clear guide of the best methods to ensure the security of information systems and close security gaps in general.  

Let’s dive into the extent of a user’s access and privileges according to these policies: 

Agencies are required to have policies that can grant, modify, and revoke the rights of users' access to information and data located in the system. This is based on the least privilege and need-to-know privilege. Need-to-know privilege limits who has access, especially to high-level information and resources, while least privilege limits what a user can do with information based on their role or function.

Additionally, agencies are required to have policies that help manage user accounts and privileges in order to ensure that data is protected from unauthorized users who are not permitted access to this data.

Let’s move into how you should organize your business or agency according to these policies: 

1. Vulnerability scans:
• Conducting a regular vulnerability scan of protected private data, identifying potential vulnerabilities, and implementing controls to rectify them 
2. Audit logs:
• Collecting, storing, analyzing data in the form of logs which helps keep track of any malicious activity
3. Backup and recovery procedures: 
• Creating backup copies (offsite or encrypted) in order to ensure that information can be accessed in the case of malicious activity
4. IDS/IPS (Intrusion Detection/Protection Systems), firewalls, VPNs: 
• Monitoring, detecting, analyzing any malicious activity, and defending the constant network traffic from any sort of threats
5. Malware Defenses: 
•  Preventing, detecting and removing malware in the form of antivirus software, whitelisting, etc.
6. Penetration Testing: 
• Conducting regular tests that stimulate real attacks, to exploit vulnerabilities/weaknesses

Finally, let’s discuss what these policies require of employees and clients the company works with: 

1. Providing security awareness and skills training (which covers responsibilities, threats, best, practices, etc),  to those that have access to the state’s information 
2. Expectations of vendors, providers, regarding security controls, incident responses, audits, assessments, etc.

The values shown in the NJ SIM and CIS Controls, convey the importance to implement these policies as they secure every aspect of a company’s stored information from the employees to the software assets and licenses, to the data itself. The NJ SIM now provides an easy framework for implementing these cybersecurity practices towards various agencies and organizations. They help secure information systems and the data of New Jersey while simultaneously being able to educate and train the workforce to ensure continued implementation and protection in the future.