11.3 Privileged accounts and system administration accounts
11.3.1. The relevant entities shall maintain policies for management of privileged accounts and system administration accounts.
11.3.2. The policies referred to in point 11.3.1. shall:
(a) establish strong identification, authentication such as multi-factor authentication, and authorisation procedures for privileged accounts and system administration accounts;
(b) set up specific accounts to be used for system administration operations exclusively, such as installation, configuration, management or maintenance;
(c) individualise and restrict system administration privileges to the highest extent possible,
(d) provide that system administration accounts are only used to connect to system administration systems.
11.3.3. The relevant entities shall review access rights of privileged accounts and system administration accounts at planned intervals and be modified based on organisational changes, and shall document the results of the review, including the necessary changes of access rights.
Holen Sie sich den NIS2-Umsetzungs-Fahrplan und unseren Newsletter!