AUTHENTICATION AND ACCESS CONTROL. The Supplier shall operate an access control regime to ensure all users and administrators of the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) are uniquely identified and authenticated when accessing or administering the Services. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the ICT Environment that they require. The Supplier shall retain an audit record of accesses.
AUTHENTICATION AND ACCESS CONTROL. The Supplier shall ensure that accounts are provisioned with privileges appropriate for the user need. Administrator (or other high privilege) accounts shall only be provisioned to users who need those privileges. Administrators shall not conduct ‘normal’ day-to-day business from their high privilege account. Privileges shall be periodically reviewed and removed where no longer required. The Supplier shall ensure that users identify and authenticate to devices and Services. For passwords, the Supplier shall, with reference to CESG’s published best practice ‘Password Guidance: Simplifying Your Approach’: ensure that all passwords are changed from defaults; not allow password/account sharing; ensure that high-privilege users (i.e. administrators) use different passwords for their high-privilege and low-privilege accounts; combine passwords with some other form of strengthening authentication, such as lockouts, throttling or two-factor authentication; ensure that passwords are never stored as plain text, but are (as a minimum) hashed using a cryptographic function capable of multiple iterations and/or a variable work factor. It is advisable to add a ‘salt’ before hashing passwords. In respect of End User Devices, the Supplier shall ensure that users identify and authenticate to devices and Services. Additionally the Supplier shall ensure that only appropriately authorised devices are provided with access to Services, in compliance with EUD Security Principle 3: Authentication. The set of EUD Principles are found here. In respect of the Supplier’s cloud services, the Supplier shall ensure that users, administrators and service providers identify and authenticate to all Services, in compliance with EUD Security Principle: Secure Consumer Management, and EUD Security Principle: Identity and Access Control.
AUTHENTICATION AND ACCESS CONTROL. The platform must implement Multi-Factor Authentication (MFA) for all administrative accounts. • Role-based access control (RBAC) must be used to restrict access to critical functions and data. • The Service Provider must maintain secure session management practices, including automatic session timeouts and protection against session hijacking.
AUTHENTICATION AND ACCESS CONTROL. I will abide by the IRC access processes set in the IRC Access and Usage Procedure
AUTHENTICATION AND ACCESS CONTROL. The Supplier shall operate an access control regime to ensure all users and administrators of the Supplier Solution are uniquely identified and authenticated when accessing or administering the Services. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the Supplier Solution they require. The Supplier shall retain an audit record of accesses.
AUTHENTICATION AND ACCESS CONTROL. The Supplier shall operate an access control regime to ensure: all users and administrators of the Supplier System are uniquely identified and authenticated when accessing or administering the Services; and all persons who access the Sites are identified and authenticated before they are allowed access to the Sites. The Supplier shall apply the ‘principle of least privilege’ when allowing persons access to the Supplier System and Sites so that such persons are allowed access only to those parts of the Sites and the Supplier System they require. The Supplier shall retain records of access to the Sites and to the Supplier System and shall make such record available to the Authority on request.
