Responsibility

Least Privilege

Individuals receive only the minimum number of authorisations required for their role and purpose in the processing activities. Authorisations are only given for the period the activities take place. Preferably...

Digital identities

Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals have...

Session Timeout

After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered continued...

Multi-Factor Authentication

Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for...

Password Visibility

Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to administrators)...

PIN and biometrics

PIN codes are a subset of passwords that usually have limitations to the complexity. Usage of PIN codes in place of passwords is only permitted in a one-to-one relation to...

Password Complexity

Systems that allow setting passwords enforce that passwords satisfy minimum complexity requirements. Rate-limiting is enforced for failed password entries. During password creation, an indicator of password complexity is reported to...

Review of Permissions

Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the...

Defining user management

System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access...

Account lock-out

After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked....