Low

Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the authorisation matrix. A documented procedure is available for how the review is performed. Actions taken based on the review are recorded and stored for 2 years. If the authorisations are given based on role, the authorisations within the roles are part of the review as well.

After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked. After 90 days the account is deleted or stripped of all authorisations. Unblocking accounts follows the same approval process for requesting access as Joiner/Mover situations.

End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties. Only production environments can be linked to the production IdP.

The organisation has a coherent awareness program that identifies the knowledge relevant to information security various stakeholders must have, the ways to measure the current level of knowledge, and includes planning and organisation of interventions to maintain and increase the knowledge to desired levels.

When a workstation is left unattended, the session/screen is locked automatically after a maximum of 15 minutes and the user prompted for re-authentication.

Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable. This includes sensitive data stored on hardcopy which needs to be properly shredded and destroyed.

The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis. Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents. Information on security incidents is handled on a need-to-know basis. Security incidents involving Personally Identifiable Information (PII) are also considered a...

IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and transmission of spam and malicious mails. Mails should be revocable on managed servers and supported endpoints. Links in emails should be validated to not be malicious. Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.

Automatic forwarding of email to external addresses is denied-by-default.