Medium
Privilege account monitoring
Creation of new accounts with privileged authorisations, mutations in user groups through which privileged authorisations can be obtained and changes in passwords for non-personal privileged accounts are approved Potential abuse...
Multi-Factor Authentication
Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for...
Defining user management
System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access...
Non-Disclosure Agreements
When working with sensitive information, individuals are required to agree with and sign a non-disclosure agreement (NDA). At a minimum the NDA specifies how the individual should handle the sensitive...
Staged warning model
The organisation has a policy for disciplinary action and inappropriate handling of information. Police reports will be filed when willfully breaking of the law or actions with criminal intent are...
External visitors to non-public spaces
Non-contracted visitors in sensitive areas are always accompanied by organisational staff.
Identification
Before commencement of processing activities all individuals working with data and systems have been identified using a nationally issued Identification Document or through a trusted federated identity provider.
Operating procedures for Secure usage of IT services
Manuals and Operating Procedures that detail how to work with Information Systems and Services in a secure manner are available and communicated to end-users. Understanding of the operating procedures is...
Public workspace security
Shared workspace endpoints are physically protected from tampering with or removing the hardware.
Memory protection
Endpoints have appropriate protections to prevent attacks on memory.