The access control policy defines rules and principles upon which access rights and restrictions are configured.
The policy is applicable to all internal and external personnel.
- Access is granted based upon the need-to-know/need-to-use principle.
- Based on the person's role, access to information/assets is granted.
- Access is granted/revoked upon management request. The user can request access himself, but then the request has to be approved by his/her manager first.
- As part of the HR on boarding process and HR off boarding process, access rights will be granted/revoked as well.
- Logical access lists should be reviewed by the system owner as defined in the Systems and (cloud) services overview, the frequency depends on the classification of the information:
- Sensitive or Confidential: 3 months
- Internal: 6 months
- Public: 12 months
- 2FA (Two Factor Authentication) must be used for systems holding Sensitive information
- User names are created by concatenating the user's first and last name, separated by a period, all in lower case (e.g. maurice.pasman)
- User names may not be shared or reused for systems holding Confidential or Sensitive information
- If the password was manually set by an administrator/system owner, the user must be required to change the password at first login
- The user should be enforced to use quality passwords (as per Password policy)
- The reuse of the last three passwords should be prevented
- The passwords should be stored in a secure way (encrypted/hashed and separated from other data)
Login information should be transmitted encrypted (using TLS)
Updated 8 months ago