Content library
TiHL: Suositus tietoturvan vähimmäisvaatimuksista
4.5: Käyttöoikeuksien hallinta

How to fill the requirement

TiHL: Suositus tietoturvan vähimmäisvaatimuksista

4.5: Käyttöoikeuksien hallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Regular reviewing of data system access rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
16 §: Tietojärjestelmien käyttöoikeuksien hallinta
TiHL
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR
1. Task description

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Defining and documenting accepted authentication methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
9.1.1: Access control policy
ISO27 Full
9.2.4: Management of secret authentication information of users
ISO27 Full
9.4.2: Secure log-on procedures
ISO27 Full
6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Self-monitoring
1. Task description

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Descriptions of different access rights management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

ACCESS-1: Establish Identities and Manage Authentication
C2M2: MIL1
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
4.5: Käyttöoikeuksien hallinta
TiHL: Tietoturva
4.2.1: Access Management
TISAX
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyFun
1. Task description

The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.

The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.

Defining and documenting access roles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
25. Data protection by design and by default
GDPR
5. Principles relating to processing of personal data
GDPR
9.1.1: Access control policy
ISO27 Full
9.2.2: User access provisioning
ISO27 Full
1. Task description

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

  • how much information each user needs access to
  • how widely the user should be able to edit data (read, write, delete, print, execute)
  • whether other applications have access to the data
  • whether the data can be segregated within the property so that sensitive data is less exposed
Review of access right for changed employee roles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Changes in employment relationships
requirements

Task is fulfilling also these other security requirements

9.2.5: Review of user access rights
ISO27 Full
UAC-06: Managing user privileges
Cyber Essentials
HAL-15: Työskentelyn tietoturvallisuus koko palvelussuhteen ajan
Julkri
TEK-07.3: Pääsyoikeuksien hallinnointi - pääsyoikeuksien ajantasaisuus
Julkri
5.18: Access rights
ISO27k1 Full
1. Task description

In all changes on employment relationship, access rights should be reviewed in cooperation with the owners of the protected property and re-granted to the person completely when there is a significant change in the person's employment. A change can be a promotion or a change of role (e.g., moving from one unit to another).

Restriction of access rights at high risk times of employment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Changes in employment relationships
requirements

Task is fulfilling also these other security requirements

9.2.6: Removal or adjustment of access rights
ISO27 Full
5.18: Access rights
ISO27k1 Full
CC6.2: Registering and authorizing new users before granting access
SOC 2
T-09: TYÖSUHTEEN AIKAISET MUUTOKSET TURVALLISUUSLUOKITELTUJEN TIETOJEN KÄSITTELYSSÄ
Katakri 2020
4.5: Käyttöoikeuksien hallinta
TiHL: Tietoturva
1. Task description

If a person's employment is terminating or significantly changing, the reduction of access rights to assets should be considered, depending on the following:

  • a person’s reluctance towards the upcoming change
  • the extent of the person’s current access rights and responsibilities
  • the value of the assets to which the employee has access
No items found.