...
Requirement | Implementation (M=mandatory, R=recommended) |
Access to system functionalities and data shall be restricted to authorized users on the basis of the ‘need to know’ principle. | M |
Authorization mechanisms in the system shall ensure that access is:
| M |
The system owner shall determine access rights associated with differentiated levels of authorization to access the system data and functionalities. | M |
The access rights shall be determined on the basis of a risk assessment that considers at least: Information sensitivity and level of classification – the need to limit access to system data, in line with data classification, general data sensitivity and applicable regulation; and | M |
Determined access rights shall be reviewed periodically to check that they continue to ensure the protection of sensitive non-classified information, the enforcement of process controls and the segregation of incompatible duties. | M |
Access decisions (both positive and negative) following a user access request during a login process shall be logged in order to provide an audit trail. | M |
User & system authenticationAuthentication service: EU Login Login