11. ACCESS CONTROL

11.1 Access control policy

11.1.1. For the purpose of Article 21(2), point (i) of Directive (EU) 2022/2555, the relevant entities shall establish, document and implement logical and physical access control policies for the access of persons and processes on network and information systems, based on business requirements as well as network and information system security requirements. 11.1.2. The policies

Von |2024-09-11T13:56:54+02:00September 11th, 2024|Kommentare deaktiviert für 11.1 Access control policy

11.2 Management of access rights

11.2.1. The relevant entities shall provide, modify, remove and document access rights to network and information systems in accordance with the access control policy referred to in point 11.1. 11.2.2. The relevant entities shall: (a) assign and revoke access rights based on the principles of need-to-know, least privilege and separation of duties; (b) ensure that

Von |2024-09-11T13:55:52+02:00September 11th, 2024|Kommentare deaktiviert für 11.2 Management of access rights

11.3 Privileged accounts and system administration accounts

11.3.1. The relevant entities shall maintain policies for management of privileged accounts and system administration accounts. 11.3.2. The policies referred to in point 11.3.1. shall: (a) establish strong identification, authentication such as multi-factor authentication, and authorisation procedures for privileged accounts and system administration accounts; (b) set up specific accounts to be used for system administration

Von |2024-09-11T13:54:41+02:00September 11th, 2024|Kommentare deaktiviert für 11.3 Privileged accounts and system administration accounts

11.4 Administration systems

11.4.1. The relevant entities shall restrict and control the use of system administration systems. 11.4.2. For that purpose, the relevant entities shall: (a) only use system administration systems for system administration purposes, and not for any other operations; (b) separate logically such systems from application software not used for system administrative purposes, (c) protect access

Von |2024-09-11T13:53:57+02:00September 11th, 2024|Kommentare deaktiviert für 11.4 Administration systems

11.5 Identification

11.5.1. The relevant entities shall manage the full life cycle of identities of network and information systems and their users. 11.5.2. For that purpose, the relevant entities shall: (a) set up unique identities for network and information systems and their users; (b) link the identity of users to a single person; (c) ensure oversight of

Von |2024-09-11T13:52:22+02:00September 11th, 2024|Kommentare deaktiviert für 11.5 Identification

11.6 Authentication

11.6.1. The relevant entities shall implement secure authentication procedures and technologies based on access restrictions and the policy on access control. 11.6.2. For that purpose, the relevant entities shall: (a) ensure the strength of authentication is appropriate to the classification of the asset to be accessed; (b) control the allocation to users and management of

Von |2024-09-27T23:28:23+02:00September 11th, 2024|Kommentare deaktiviert für 11.6 Authentication

11.7 Multi-factor authentication

11.7.1. The relevant entities shall ensure that users are authenticated by multiple authentication factors or continuous authentication mechanisms for accessing the entities’ network and information systems, where appropriate, in accordance with the classification of the asset to be accessed. 11.7.2. The relevant entities shall ensure that the strength of authentication is appropriate for the classification

Von |2024-09-27T23:29:39+02:00September 11th, 2024|Kommentare deaktiviert für 11.7 Multi-factor authentication
Nach oben