+RTS ICT Risk Management T. II Ch. II Art. 20 , 2
|
1. Overview
RTS ICT Risk Management T. II Ch. II Art. 20 , 2
2. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:
- (a) without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity;
- For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.
- (b) a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.
- For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.
1.1 References
1.2 Identified Requirements
1.3 Related Standards
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Standards
Standards
| Source |
Requirement |
|
NOREA
|
Authentication Methods
Use authentication methods commensurate with the classification and risk profile of ICT assets. Implement strong authentication methods, particularly for remote access, privileged access, and access to critical ICT assets.
|
|
NOREA
|
Identity Management
Assign a unique identity to each staff member or staff of the third-party service provider accessing information and ICT assets. Implement a lifecycle management process for identities, covering creation, change, recertification, temporary deactivation, and termination of user accounts. Utilize automated solutions where applicable.
|
|
NOREA
|
Privilige Access Management
Define access rights based on need-to-know, need-to-use, and least privilege principles, including provisions for remote and emergency access. Enforce segregation of duties to prevent unjustified access or combinations that could circumvent controls. Ensure user accountability by limiting generic and shared user accounts, enabling user identification for all ICT system actions. Implement controls and tools to restrict unauthorized access.
|
|
NOREA
|
Account Management
Establish procedures for granting, changing, and revoking access rights, specifying roles and responsibilities. Define retention periods for access logs. Assign privileged, emergency, and administrator access on a need-to-use or ad-hoc basis, with automated solutions for privilege access management. Withdraw access rights promptly upon termination of employment or when no longer required. Conduct periodic reviews of access rights, ensuring at least annual reviews for non-critical ICT systems and semi-annual reviews for critical systems.
|
|