Content library
Kibernetinio Saugumo Įstatymas (Lithuania)
14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika

Requirement description

Kibernetinio saugumo reikalavimai apima šiuos elementus: kibernetinio saugumo subjektų valdomų ir (ar) tvarkomų tinklų ir informacinių sistemų naudotojų, administratorių, kibernetinio saugumo subjektų tiekėjų, jų subtiekėjų ir kitų ūkio subjektų teisių ir prieigos prie kibernetinio saugumo subjektų valdomų ir (ar) tvarkomų tinklų ir informacinių sistemų ir (ar) skaitmeninių duomenų suteikimo ir valdymo politiką

How to fill the requirement

Kibernetinio Saugumo Įstatymas (Lithuania)

14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika

Task name
Priority
Status
Theme
Policy
Other requirements
Regular reviewing of data system access rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
31
requirements

Examples of other requirements this task affects

I06: Pääsyoikeuksien hallinnointi
Katakri
16 §: Tietojärjestelmien käyttöoikeuksien hallinta
TiHL
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR
See all related requirements and other information from tasks own page.
Go to >
Regular reviewing of data system access rights
1. Task description

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Data processing partner listing and owner assignment
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
44
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
1.2.4: Definition of responsibilities with service providers
TISAX
1.3.3: Use of approved external IT services
TISAX
6.1.1: Partner Information security
TISAX
See all related requirements and other information from tasks own page.
Go to >
Data processing partner listing and owner assignment
1. Task description

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Documentation of partner contract status
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
27
requirements

Examples of other requirements this task affects

Članak 30.1.d: Sigurnost lanca opskrbe
NIS2 Croatia
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
30 § 3.4°: La sécurité de la chaîne d'approvisionnement
NIS2 Belgium
30 § 4°: Définir et contrôler les mesures de sécurité requises pour la chaîne d'approvisionnement
NIS2 Belgium
2.1.9: Maintain security responsibility during outsourcing
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Documentation of partner contract status
1. Task description

A supplier agreement will be drawn up with all partners directly or indirectly involved in the processing of data. The aim is to ensure that there is no misunderstanding between the organization and the supplier of parties' obligations regarding to complying with security requirements.

The organization shall include in the supplier agreement, as appropriate:

  • the data used by the supplier (and possible data classification) and staff receiving access to data
  • rules on the acceptable use of data
  • confidentiality requirements for data processing staff
  • parties responsibilities in meeting regulatory requirements
  • parties' concrete responsibilities in relation to data security (e.g. access control, monitoring)
  • reporting and correcting incidents
  • requirements for the use of subcontractors
  • allowing auditing supplier processes and controls related to the contract (and committing to correcting non-conformities)
  • a commitment to return or destroy data at the end of the contract
  • the supplier's responsibility to comply with organization's security guidelines
Creating and maintaining an access control policy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
7
requirements

Examples of other requirements this task affects

14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika
NIS2 Lithuania
40: Käyttövaltuuspolitiikka ja prosessi
Digiturvan kokonaiskuvapalvelu
2.6.2: Establish a formal process for administration of accounts, access rights and privileges
NSM ICT-SP
2.6.1: Create guidelines for access control
NSM ICT-SP
6.8: Define and Maintain Role-Based Access Control
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining an access control policy
1. Task description

To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.

Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.

All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.

Definition of supplier-specific responsible persons
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Partner management
Agreements and monitoring
7
requirements

Examples of other requirements this task affects

15.2.2: Managing changes to supplier services
ISO 27001
8.1.2: Ownership of assets
ISO 27001
ID.SC-4: Audit suppliers and third-party partners
NIST
14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika
NIS2 Lithuania
CC9.2: Partner risk management
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Definition of supplier-specific responsible persons
1. Task description

A responsible person has been appointed for the provider companies, who monitors the provider's activities, communications and compliance with the contract.

Responsible person must have sufficient skills to analyze cyber security requirements depending on the criticality of the provider. Responsible person also ensures that the provider appoints an own responsible person to ensure compliance with the contract and facilitate cooperation.

Rules and formal management process for admin rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
23
requirements

Examples of other requirements this task affects

Članak 30.1.i (Pristup): Politike kontrole pristupa
NIS2 Croatia
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
30 § 3.9° (l'accès): Contrôle d'accès
NIS2 Belgium
2.6.2: Establish a formal process for administration of accounts, access rights and privileges
NSM ICT-SP
2.6.4: Minimise privileges for end users and special users
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Rules and formal management process for admin rights
1. Task description

Admin rights are managed through a formal process aimed at limiting the allocation of admin rights and controlling their use.

Regarding admin rights:

  • expiration requirements are defined
  • admin rights are granted only to usernames not used for normal everyday use
  • normal day-to-day use may not be performed with an admin account
Descriptions of different access rights management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
10
requirements

Examples of other requirements this task affects

14.5.12): Kibernetinio saugumo prieigos ir duomenų teisių politika
NIS2 Lithuania
ACCESS-1: Establish Identities and Manage Authentication
C2M2
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
4.5: Käyttöoikeuksien hallinta
TiHL tietoturvavaatimukset
4.2.1: Access Management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Descriptions of different access rights management processes
1. Task description

The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.

The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.

Centralized record of user's access rights to data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
14
requirements

Examples of other requirements this task affects

Članak 30.1.i (Pristup): Politike kontrole pristupa
NIS2 Croatia
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
30 § 3.9° (l'accès): Contrôle d'accès
NIS2 Belgium
2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
14.5.10.b): Prieigos kontrolė
NIS2 Lithuania
See all related requirements and other information from tasks own page.
Go to >
Centralized record of user's access rights to data systems
1. Task description

The organization maintains a centralized record of the access rights granted to each user ID to data systems and services. This recording is used to review access rights at times of employment change or in the onboarding process of new colleagues joining the same role.

Tasks included in the policy

Task name
Priority
Status
Theme
Policy
Other requirements
No items found.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.