Access Control & Authorization — Canadian Baseline Control BC.12

What the Canadian Centre for Cyber Security Recommends

The Canadian Centre for Cyber Security (CCCS) identifies access control and authorization as Baseline Control 12 (BC.12) in its Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). Organizations should control who has access to their systems, data, and resources — and limit that access to only what each person needs to perform their job. This control focuses on managing permissions after a user's identity has been verified through authentication (BC.5).

Inadequate access control is one of the most common contributors to data breaches and insider threats. When users have more access than they need, the potential impact of a compromised account, a malicious insider, or a simple mistake increases significantly. The CCCS guidance establishes access control as a foundational security practice for organizations of all sizes.

The Principle of Least Privilege

Users should be granted only the minimum level of access required to perform their job duties — nothing more. This is known as the principle of least privilege, and it is the foundation of the CCCS access control recommendations.

Applying least privilege means:

• Default to no access — new accounts should start with no permissions, and access should be granted only as needed and approved
• Grant access based on job function — permissions should reflect what the role requires, not what the individual requests for convenience
• Avoid permanent elevated access — administrative or privileged access should be granted only when needed and revoked when the task is complete
• Apply least privilege to applications and services — not just human users; service accounts and automated processes should also operate with minimal permissions

Least privilege reduces the blast radius of a security incident. If an attacker compromises a user account that has limited permissions, the damage they can do is correspondingly limited.

Role-Based Access Control (RBAC)

Rather than assigning permissions to individual users one at a time, the CCCS recommends organizing access permissions into roles that correspond to job functions. This approach — role-based access control (RBAC) — simplifies management and reduces the risk of permission errors.

Implementing RBAC involves:

• Defining roles — identify the job functions in your organization and the system access each function requires (e.g., "Accounting Clerk," "Sales Manager," "IT Administrator")
• Assigning users to roles — grant access by assigning a user to the appropriate role, rather than configuring individual permissions
• Documenting role definitions — maintain a written record of what each role can access and who approved the role definition
• Limiting the number of roles — avoid creating so many roles that the system becomes difficult to manage; aim for a manageable set that covers your organization's functions
• Handling exceptions — when a user needs access beyond their role, document the exception with a business justification and an expiry date

Most modern business platforms — including Microsoft 365, Google Workspace, and cloud services — support role-based access configuration. Leveraging these built-in capabilities makes RBAC practical even for small organizations.

Regular Access Reviews

Access permissions tend to accumulate over time. Employees change roles, take on temporary projects, or receive access that is never revoked. The CCCS recommends that organizations conduct regular access reviews to ensure that current permissions still align with current job requirements.

An effective access review process includes:

• Scheduled reviews — review privileged accounts at least quarterly and standard accounts at least semi-annually
• Manager involvement — each employee's direct manager should confirm that the access listed for their team members is still appropriate
• Documentation — record the date of each review, who conducted it, and any changes made
• Removing stale access — revoke permissions that are no longer needed, including access to old projects, former team resources, and deactivated systems
• Identifying dormant accounts — flag accounts that have not been used for an extended period (e.g., 90 days) for investigation and potential deactivation

Separation of Duties

No single individual should have enough access to complete a critical or high-risk process entirely on their own. Separation of duties divides responsibilities so that errors, fraud, or misuse require collusion between multiple people, making them more difficult and more detectable.

Common examples of separation of duties include:

• Financial transactions — the person who initiates a payment should not be the same person who approves it
• System administration — the person who administers a system should not be the only person who reviews the audit logs for that system
• User account management — access requests should require approval from someone other than the requester
• Code deployment — in development environments, the person who writes code should not be the same person who deploys it to production

For very small organizations where strict separation of duties is not practical due to limited staff, compensating controls — such as detailed logging, regular audits, and management oversight — can help mitigate the risk.

Privileged Account Management

Privileged accounts — such as administrator accounts, root accounts, and service accounts — have elevated access that can affect entire systems or large volumes of data. The CCCS recommends that organizations apply additional safeguards to these accounts because the consequences of their compromise are far greater than those of standard user accounts.

Recommendations for privileged account management include:

• Use separate accounts for administrative tasks — administrators should have a standard account for daily work (email, web browsing) and a separate privileged account used only for administrative tasks
• Require multi-factor authentication (MFA) — all privileged accounts should require MFA, aligned with Baseline Control BC.5 (Authentication)
• Limit the number of privileged accounts — only personnel who require administrative access for their job function should have it
• Monitor privileged account activity — log and review actions taken by privileged accounts on a regular basis
• Use time-limited privileges where possible — just-in-time access grants administrative privileges only for the duration needed to complete a specific task
• Secure service accounts — service accounts used by applications should have strong, unique credentials that are rotated regularly and should not be used for interactive logins

Offboarding Procedures

When an employee leaves the organization — whether through resignation, termination, or contract completion — their access must be revoked promptly and completely. Delayed offboarding is a common and preventable security gap.

A complete offboarding procedure should include:

• Immediate account deactivation — disable the user's accounts on the same day they depart, or before if circumstances warrant it
• Revoke all access — including email, VPN, cloud services, SaaS platforms, internal applications, physical access cards, and shared accounts
• Recover company devices and media — collect laptops, phones, USB drives, and access tokens, aligned with Baseline Control BC.4 (Secure Configuration)
• Change shared credentials — if the departing employee had access to any shared passwords or service accounts, change those credentials immediately
• Transfer data ownership — reassign ownership of files, mailboxes, and accounts to the appropriate person
• Document the offboarding — maintain a checklist and record of completion for each departing employee

Organizations should establish a standardized offboarding checklist and ensure that HR and IT coordinate closely on every departure.

Getting Started

For Canadian small and medium organizations looking to strengthen access control, the CCCS Baseline Controls suggest focusing on these practical steps:

1. Inventory current access — document who has access to what systems, at what permission level
2. Implement least privilege — review and reduce permissions to the minimum required for each role
3. Define roles — create a simple set of roles based on job functions and assign users accordingly
4. Establish an offboarding checklist — ensure departing employees lose access on their last day
5. Schedule regular access reviews — set calendar reminders for quarterly privileged account reviews
6. Take the free cybersecurity assessment to evaluate your organization's posture across all 13 Baseline Controls

Frequently Asked Questions

What is the difference between access control and authentication?

Authentication (BC.5) verifies who a user is — confirming their identity through passwords, multi-factor authentication, or other credentials. Access control (BC.12) determines what an authenticated user is allowed to do — which systems, files, and functions they can access. Both controls work together: authentication confirms identity, and access control enforces permissions.

How often should Canadian businesses review user access permissions?

The CCCS recommends conducting access reviews on a regular basis. Many organizations perform quarterly reviews for privileged accounts and semi-annual reviews for standard user accounts. At a minimum, access should be reviewed whenever an employee changes roles and immediately upon departure from the organization.

Do small businesses need role-based access control?

Yes. Even small organizations benefit from role-based access control (RBAC). The CCCS Baseline Controls recommend that access be granted based on job function rather than on an individual basis. RBAC simplifies permission management, reduces errors, and makes it easier to conduct access reviews — regardless of organization size.