Identify the users of the information systems, including: a) user identity, b) work location(s), c) required access to ICT systems, services/applications, d) particular privilege requirements, see 1.3.2. See also principles 2.2 – Establish a secure ICT architecture and 2.6 – Stay in control of identities and access rights.
When working remotely, the employee must follow the following guidelines:
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.
The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.
The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.