Content library
Julkri: TL IV-I
HAL-14: Käyttö- ja käsittelyoikeudet

How to fill the requirement

Julkri: TL IV-I

HAL-14: Käyttö- ja käsittelyoikeudet

Task name
Priority
Status
Theme
Policy
Other requirements
Regular reviewing of data system access rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
16 §: Tietojärjestelmien käyttöoikeuksien hallinta
TiHL
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR
1. Task description

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Early orientation of security guidelines for personnel
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Personnel security
Security guidelines
requirements

Task is fulfilling also these other security requirements

HAL-11: Salassapito- ja vaitiolovelvollisuus
Julkri
HAL-14: Käyttö- ja käsittelyoikeudet
Julkri
1. Task description

Tietoa käsitteleville henkilöille selvitetään tietojen suojaamista ja asiakirjojen käsittelyä koskevat tietoturvaohjeet ja -periaatteet ennen pääsyä tietoihin tai organisaation tarkasti määrittelemien aikamääreiden sisällä.

Defining and documenting access roles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
25. Data protection by design and by default
GDPR
5. Principles relating to processing of personal data
GDPR
9.1.1: Access control policy
ISO27 Full
9.2.2: User access provisioning
ISO27 Full
1. Task description

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

  • how much information each user needs access to
  • how widely the user should be able to edit data (read, write, delete, print, execute)
  • whether other applications have access to the data
  • whether the data can be segregated within the property so that sensitive data is less exposed
Need to know -principle in access management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
9.1.1: Access control policy
ISO27 Full
PR.AC-4: Access permissions and authorizations
NIST
HAL-02.1: Tehtävät ja vastuut - tehtävien eriyttäminen
Julkri
HAL-14: Käyttö- ja käsittelyoikeudet
Julkri
1. Task description

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.

No items found.