Regular reviewing of data system access rights

Critical
High
Normal
Low

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
4 luku, 16 §: Tietojärjestelmien käyttöoikeuksien hallinta
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
5. Principles relating to processing of personal data
GDPR

Review of access right for changed employee roles

Critical
High
Normal
Low

In all changes on employment relationship, access rights should be reviewed in cooperation with the owners of the protected property and re-granted to the person completely when there is a significant change in the person's employment. A change can be a promotion or a change of role (e.g., moving from one unit to another).

Connected other frameworks and requirements:
9.2.5: Review of user access rights
ISO 27001
5.18: Access rights
ISO 27001
4.2 (MIL1): Control Logical Access
C2M2

Access management for personal data in files and papers

Critical
High
Normal
Low

We call unstructured, local information outside data systems manual data. Access minimization is part of data minimization, which is an important principle when handling all sensitive data.

If important data is largely manual, for example in local excel documents, it may already be available to a small number of employees. However, identifying these people helps with guidance and security policies, while others can, for example, focus on minimizing the amount of hidden information in general.

Connected other frameworks and requirements:
9.2.5: Review of user access rights
ISO 27001
No items found.