SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIS2
Browse NIS2
PR.AA: Identity Management, Authentication, and Access Control
Identity and Credential Management
PR.AA-01: The identities and credentials of users, services, and authorized hardware are managed by the organization.
  • 1. All accounts, including those with administrative privileges and those used for remote access, are recorded, approved by internal NIS subject actors and, except for justified and documented technical reasons, in accordance with the results of the risk assessment referred to in measure ID.RA-05, are individual for users.
  • 2. The credentials (e.g., username and password) related to the accounts are strong and updated according to the results of the risk assessment in measure ID.RA-05.
  • 3. For at least the relevant information and network systems, accounts and their related authorizations are periodically verified, updating/revoking them in case of changes (e.g., staff transfer or termination).
  • 4. In compliance with the policies referred to in measure GV.PO-01, procedures are adopted and documented in relation to points 1, 2, and 3.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

The identities and credentials of users, services, and authorized hardware are managed by the organization.

Authentication
PR.AA-03: Users, services, and hardware are authenticated.
  • 1. The authentication methods for users to access information and network systems are commensurate with the risk. To this end, at least the following risks are assessed: a) user privileges;
  • b) the critical nature of information and network systems; c) the type of operations that users can perform on information and network systems.
  • 2. For at least the relevant information and network systems and in accordance with the results of the risk assessment referred to in measure ID.RA-05, multi-factor authentication methods are employed.
  • 3. In compliance with the policies referred to in measure GV.PO-01, procedures related to points 1 and 2 are adopted and documented.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Users, services, and hardware are authenticated.

Access Authorizations
PR.AA-05: Permissions, rights, and access authorizations are defined in a policy, managed, enforced, reviewed, and incorporate the principles of least privilege and separation of duties.
  • 1. Permissions are assigned to users in accordance with the principles of least privilege and separation of functions, also considering the need to know.
  • 2. There is a complete distinction between users with and without administrative privileges for system administrators, which must have different credentials.
  • 3. In compliance with the policies referred to in measure GV.PO-01, procedures related to points 1 and 2 are adopted and documented.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Permissions, rights, and access authorizations are defined in a policy, managed, enforced, reviewed, and incorporate the principles of least privilege and separation of duties.

Physical Access
PR.AA-06: Physical access to assets is managed, monitored, and enforced appropriately to the risk.
  • 1. For at least relevant information and network systems, physical access is protected.
  • 2. In compliance with the policies referred to in measure GV.PO-01, procedures are adopted and documented in relation to point 1.
Requirement Covered
Not Applicable - Not applicable
No - The requirement(s) have not been meaningfully implemented.
Partial - Not all requirement(s) have been meaningfully implemented.
Yes - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Physical access to assets is managed, monitored, and enforced appropriately to the risk.