Regular reviewing of data system access rights

Critical
High
Normal
Low

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Connected other frameworks and requirements:
5. Principles relating to processing of personal data
GDPR
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
9.2.5: Review of user access rights
ISO 27001
4 luku, 16 §: Tietojärjestelmien käyttöoikeuksien hallinta

Use of multi-factor authentication for important data systems

Critical
High
Normal
Low

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Connected other frameworks and requirements:
9.1.1: Access control policy
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
PR.AC-7: User, devide and other asset authentication
NIST CSF
8.5: Secure authentication
ISO 27001

Enabling multi-factor authentication for all users

Critical
High
Normal
Low

Multi-factor authentication (MFA) helps protect devices and data. To apply it, users must have more information in the identity management system than just an email address - for example, a phone number or an attached authenticator application (e.g. Microsoft, Google, or LastPass Authenticator).

Connected other frameworks and requirements:
9.3: User responsibilities
ISO 27001
9.3.1: Use of secret authentication information
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
4.1 (MIL3): Establish Identities and Manage Authentication
C2M2

Using multi-factor authentication for admins

Critical
High
Normal
Low

Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.

For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).

Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.

Connected other frameworks and requirements:
9.1.1: Access control policy
ISO 27001
9.2.3: Management of privileged access rights
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
8.2: Privileged access rights
ISO 27001
4.1 (MIL3): Establish Identities and Manage Authentication
C2M2
No items found.