System Owner
Mutation and Data Access Logs
Applications log access (attempts) to sensitive data. Applications log mutations of system configurations and sensitive data. Original values are recommended but not necessitated to be stored.
Logging events
Description Events potentially relevant to the security of systems are logged in a central logging system (different from the originating system) with timestamps synchronised to official timeservers in UTC. Logs...
Privilege account monitoring
Creation of new accounts with privileged authorisations, mutations in user groups through which privileged authorisations can be obtained and changes in passwords for non-personal privileged accounts are approved Potential abuse...
Digital identities
Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals have...
Session Timeout
After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered continued...
Multi-Factor Authentication
Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for...
Password Visibility
Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to administrators)...
Defining user management
System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access...
Authentication through organisational identity
End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given...
Operating procedures for Secure usage of IT services
Manuals and Operating Procedures that detail how to work with Information Systems and Services in a secure manner are available and communicated to end-users. Understanding of the operating procedures is...