Krav vedrørende adgang til oplysningerne via internettet. Access control and authentication K.1 An access control system applicable to all users accessing the IT system should be implemented. The system should allow creating, approving, reviewing and deleting user accounts. Access control and authentication K.2 The use of common user accounts should be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities. Access control and authentication K.3 An authentication mechanism should be in place, allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination should be used. Passwords should re- spect a certain (configurable) level of complexity. Access control and authentication K.4 The access control system should have the ability to detect and not allow the usage of passwords that don’t respect a certain (configurable) complexi- ty Access control and authentication K.5 A specific password policy should be defined and documented. The policy should include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts. Access control and authentication K.6 User passwords must be stored in a “hashed” form.
Krav vedrørende adgang til oplysningerne via internettet. Databehandler sikrer, at: Webapplikationen kan afvikles fra en til enhver tid sikker browsertyper. For tiden: Edge Firefox Chrome Safari Browserapplikationen er supporteret Anvendelse af browser-plugins begrænses mest muligt Der ikke anvendes Flash Der anvendes en sikker DNS-tjeneste eller tilsvarende anden løsning til beskyttelse mod skadelige websider. DNS-tjenesten indenfor 24 timer kan reetableres ud fra backup.