Low

Block malicious sources

Identify known malicious domains, IPs or other content and block access to these sources from the organisational network, systems and managed devices. Enable Domain Name System (DNS) query logging to...

Logging events

Description Events potentially relevant to the security of systems are logged in a central logging system (different from the originating system) with timestamps synchronised to official timeservers in UTC. Logs...

Joiner/Mover/Leaver

Process approve users getting authorisations to the data in the process. The requests of individuals that want access to information assets or authorisations to do so, are logged and retained...

Least Privilege

Individuals receive only the minimum number of authorisations required for their role and purpose in the processing activities. Authorisations are only given for the period the activities take place. Preferably...

Digital identities

Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals have...

Session Timeout

After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered continued...

Password Visibility

Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to administrators)...

PIN and biometrics

PIN codes are a subset of passwords that usually have limitations to the complexity. Usage of PIN codes in place of passwords is only permitted in a one-to-one relation to...

Password Complexity

Systems that allow setting passwords enforce that passwords satisfy minimum complexity requirements. Rate-limiting is enforced for failed password entries. During password creation, an indicator of password complexity is reported to...