System Owner

MFA for Privileged Access

Authentication for access using privileged accounts includes Multi-Factor Authentication. This can include Multi-Factor Authentication to get access to a network and subsequent strong cryptographic asymmetric keys for authentication. Devices cannot...

Break Glass Procedure

There is a procedure to use Privileged Access Management in unpredicted and/or emergency situations when access to privileged accounts is required in unanticipated events (privileged or non-privileged). Passwords are rotated...

Session Management for Privileged Access

Privileged Access to IT services is orchestrated through a Privileged Access Management (PAM) system. Actions taken using privileged accounts are logged or recorded. These actions are reviewed (either sample-based or...

Separate Accounts for Privileged Access

Accounts for privileged users are separate from regular user accounts. If a user needs privileged functionality, a second (privileged) account will be created to keep the privileged and non-privileged activities...

Service Accounts

Service accounts are only used when necessary for system authentication (no association with natural persons) or system-to-system authentication. The purpose of a service account is always documented. Each unique application-to-service...

Privileged Access

Privileged Access involves all user access that exposes more functionality than regular users have on any layer of the IT service infrastructure. Authorisations for privileged access are required to follow...

Access to admin interfaces

Administrative interfaces (other than application-level) are only accessible from an internal zone designated for administrative tasks. Access to this zone is secured via jumpservers. These jumpservers are used exclusively for...

Segmenting authentication domains

A distinction must be made between security levels within the IT landscape when considering privileged access secret authentication information, where a logical distinction is made at least for user endpoints,...

Emergency Power

Emergency power to IT equipment is available or a hot-site connected to a separate power source is available.

Access to technical areas

Access to physical areas housing IT equipment or sensitive data must be logged and checked at least monthly for deviating situations. Procedures for working in secure areas are in place...