The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include measures for access control policies.
The password management system allows the user in a registration situation to decide how complex a password is to be set this time and to remember it on behalf of the user.
When using the password management system, e.g. the following principles:
The organization has predefined authentication methods that employees should prefer when using data systems.
When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.
Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.
For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).
Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.
Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.
Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.
Admin rights are managed through a formal process aimed at limiting the allocation of admin rights and controlling their use.
Regarding admin rights:
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
Especially in the main identity management systems (e.g. Microsoft 365, Google), administrator accounts have very significant rights. These accounts are often the target of scammers and attacks because of their value. For this reason, it is useful to dedicate administrator accounts to administrative use only, and to not use these accounts for everyday use or, for example, when registering with other online services.
The organization maintains a centralized record of the access rights granted to each user ID to data systems and services. This recording is used to review access rights at times of employment change or in the onboarding process of new colleagues joining the same role.
To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:
The implementation of these things must always take place through a defined, formal process.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
