Medium

Creation of new accounts with privileged authorisations, mutations in user groups through which privileged authorisations can be obtained and changes in passwords for non-personal privileged accounts are approved Potential abuse cases for the (attempted) use of privileged authorisations are defined and monitoring impemented for these cases. False positive situations are approved by the System Owner before being allowed.

Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for a maximum period of 30 days for access, if the device meets all requirements for a second factor (such as being personal and meeting all hardware requirements). Users can mark a maximum of 5 devices as trusted. Authenticated users can access an overview of devices they have marked as trusted and be able to remove the trusted status of a device. Only ‘what you know’ and ‘what you have’ are...

System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access control models used for which types of users.

When working with sensitive information, individuals are required to agree with and sign a non-disclosure agreement (NDA). At a minimum the NDA specifies how the individual should handle the sensitive information and how long restrictions apply after working with the information has ceased. Also, the NDA specifies the consequences for the individual when breaching the agreement.

The organisation has a policy for disciplinary action and inappropriate handling of information. Police reports will be filed when willfully breaking of the law or actions with criminal intent are ascertained with regards to data handling. A record of this will be placed in the personnel file. The case will immediately be presented to a committee consisting of representation of the Organisational Unit, CISO and HR that will determine the disciplinary action.

Non-contracted visitors in sensitive areas are always accompanied by organisational staff.

Before commencement of processing activities all individuals working with data and systems have been identified using a nationally issued Identification Document or through a trusted federated identity provider.

Manuals and Operating Procedures that detail how to work with Information Systems and Services in a secure manner are available and communicated to end-users. Understanding of the operating procedures is verified and adhering to these procedures is monitored. Appropriate measures are taken when operating procedures are not followed.

Shared workspace endpoints are physically protected from tampering with or removing the hardware.

Endpoints have appropriate protections to prevent attacks on memory.