11.2 Management of access rights
11.2.1. The relevant entities shall provide, modify, remove and document access rights to network and information systems in accordance with the access control policy referred to in point 11.1.
11.2.2. The relevant entities shall:
(a) assign and revoke access rights based on the principles of need-to-know, least privilege and separation of duties;
(b) ensure that access rights are modified accordingly upon termination or change of employment;
(c) ensure that access to network and information systems is authorised by their owner;
(d) ensure that access rights appropriately address third-party access, such as suppliers and service providers, in particular by limiting access rights in scope and in duration;
(e) maintain a register of access rights granted;
(f) apply logging to the management of access rights.
11.2.3. The relevant entities shall review access rights at planned intervals and shall modify them based on organisational changes. The relevant entities shall document the results of the review including the necessary changes of access rights.
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!