+IAM-05 Regular Review of Access Rights
---+IAM-05.01B
---+IAM-05.02B
---+IAM-05.03B
---+IAM-05.04B
---+IAM-05.05B
---+IAM-05.01AC
|
1. Übersicht
IAM-05 Regular Review of Access Rights
-
| Bezeichnung |
Standard |
|
IAM-05.01B
|
Identities and the associated access rights of internal and external personnel of the cloud service provider as well as of system components that play a role in automated authorisation processes of the cloud service provider are reviewed at least once a year and in case of significant changes to the cloud service to ensure that they still correspond to the actual area of use.
This criterion applies to identities that refer to single, multiple or non-human entities.
As an alternative to the regular reviews of access rights, time-bound access rights that automatically expire may also be issued.
If a review is caused by significant changes to the cloud service, only the identities and access rights affected by the change need to be included in the review.
|
|
IAM-05.02B
|
The review is carried out by authorised persons from the cloud service provider's organisational units, who can assess the appropriateness of the assigned access rights based on their knowledge of the task areas of the personnel or system components.
This criterion applies to identities that refer to single, multiple or non-human entities.
As an alternative to the regular reviews of access rights, time-bound access rights that automatically expire may also be issued.
|
|
IAM-05.03B
|
Identified deviations are dealt with timely, but no later than seven days after their detection, through appropriate modification or withdrawal of the access rights.
This criterion applies to identities that refer to single, multiple or non-human entities.
As an alternative to the regular reviews of access rights, time-bound access rights that automatically expire may also be issued.
|
|
IAM-05.04B
|
When revoking identities, the system ensures that all production associated system components (e.g., virtual machines, storage, access rights) are identified, reassigned, or deleted to prevent the creation of orphaned resources. Clear processes and technical controls are established to identify and handle any orphaned resources that occur despite preventive measures, ensuring their timely reassignment or secure deletion.
This criterion applies to identities that refer to single, multiple or non-human entities.
As an alternative to the regular reviews of access rights, time-bound access rights that automatically expire may also be issued.
|
|
IAM-05.05B
|
For system components that are not production associated, the cloud service provider designs, implements and maintains appropriate controls for the prevention of orphan resources based on a risk assessment (cf. OIS-07).
This criterion applies to identities that refer to single, multiple or non-human entities.
As an alternative to the regular reviews of access rights, time-bound access rights that automatically expire may also be issued.
The system components meant here are system components in development, test or any other non-productive environments. Orphan resources are system components that have no assigned owner.
|
|
IAM-05.01AC
|
Privileged access rights are reviewed at least every six months, and in case of significant changes to the cloud service.
If a review is caused by significant changes to the cloud service, only the identities and access rights affected by the change need to be included in the review.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|