When a person starts an employment relationship, he or she is granted access to all data systems related to his or her role at once.
The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.
When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the user registration and deregistration to the service.
The organisation should also provide instructions and specifications for the creation / deletion of users (e.g. help articles, FAQs), e.g. related to different user levels, user invitation process and different admin actions.
The organization must use unique usernames in order to associate users and assign responsibility for them.
Shared usernames are not allowed and users are not allowed to access information systems until a unique username is provided.
Applicants applying for cyber security should have their background checked, taking into account relevant laws and regulations.
The check may include:
The background check may also be extended to, for example, teleworkers, contractors or other third parties. The depth of the background check can be related to the category of the accessed data.