>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

IDM-01Policy for user accounts and access rights

>Control Description

A role and rights concept based on the business and security requirements of the Cloud Service Provider as well as a policy for managing user accounts and access rights for internal and external employees of the Cloud Service Provider and system components that have a role in automated authorisation processes of the Cloud Service Provider are documented, communicated and made available according to SP-01: • Assignment of unique usernames; • Granting and modifying user accounts and access rights based on the “least-privilege- principle” and the “need-to-know” principle; • Segregation of duties between operational and monitoring functions (“Segregation of Duties”); • Segregation of duties between managing, approving and assigning user accounts and access rights; • Approval by authorised individual(s) or system(s) for granting or modifying user accounts and access rights before data of the cloud customer or system components used to provision the cloud service can be accessed; • Regular review of assigned user accounts and access rights; • Blocking and removing access accounts in the event of inactivity; • Time-based or event-driven removal or adjustment of access rights in the event of changes to job responsibility; • Two-factor or multi-factor authentication for users with privileged access; • Requirements for the approval and documentation of the management of user accounts and access rights. Additional criteria: -

Ask AI

Configure your API key to use AI features.