System Owner

Applications log access (attempts) to sensitive data. Applications log mutations of system configurations and sensitive data. Original values are recommended but not necessitated to be stored.

Description Events potentially relevant to the security of systems are logged in a central logging system (different from the originating system) with timestamps synchronised to official timeservers in UTC. Logs are protected from modification. Logs are reviewed periodically.

Creation of new accounts with privileged authorisations, mutations in user groups through which privileged authorisations can be obtained and changes in passwords for non-personal privileged accounts are approved Potential abuse cases for the (attempted) use of privileged authorisations are defined and monitoring impemented for these cases. False positive situations are approved by the System Owner before being allowed.

Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals have left the organisation, their digital & legal identities are kept for a predefined period of time, based on business and legal requirements.

After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered continued activity.

Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for a maximum period of 30 days for access, if the device meets all requirements for a second factor (such as being personal and meeting all hardware requirements). Users can mark a maximum of 5 devices as trusted. Authenticated users can access an overview of devices they have marked as trusted and be able to remove the trusted status of a device. Only ‘what you know’ and ‘what you have’ are...

Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to administrators) and are not stored in a way that can be reversed. If passwords/secrets are stored, they must be stored in an appropriate password vault service.

System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access control models used for which types of users.

End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties. Only production environments can be linked to the production IdP.

Manuals and Operating Procedures that detail how to work with Information Systems and Services in a secure manner are available and communicated to end-users. Understanding of the operating procedures is verified and adhering to these procedures is monitored. Appropriate measures are taken when operating procedures are not followed.