Identity & Access Management

Authorization Matrix

Description Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity. The authorisation matrix includes roles, the...

Joiner/Mover/Leaver

Description Process approve users getting authorisations to the data in the process. The requests of individuals that want access to information assets or authorisations to do so, are logged and...

Least Privilege

Description Individuals receive only the minimum number of authorisations required for their role and purpose in the processing activities. Authorisations are only given for the period the activities take place....

Digital identities

Description Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals...

Session Timeout

Description After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered...

Multi-Factor Authentication

Description Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device...

Password Visibility

Description Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to...

PIN and biometrics

Description PIN codes are a subset of passwords that usually have limitations to the complexity. Usage of PIN codes in place of passwords is only permitted in a one-to-one relation...

Password Complexity

Description Systems that allow setting passwords enforce that passwords satisfy minimum complexity requirements. Rate-limiting is enforced for failed password entries. During password creation, an indicator of password complexity is reported...

Review of Permissions

Description Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with...