Assign a unique identity to each staff member or staff of the third-party service provider accessing information and ICT assets. Implement a lifecycle management process for identities, covering creation, change, recertification, temporary deactivation, and termination of user accounts. Utilize automated solutions where applicable.

Define access rights based on need-to-know, need-to-use, and least privilege principles, including provisions for remote and emergency access. Enforce segregation of duties to prevent unjustified access or combinations that could circumvent controls. Ensure user accountability by limiting generic and shared user accounts, enabling user identification for all ICT system actions. Implement controls and tools to restrict unauthorized access.

Establish procedures for granting, changing, and revoking access rights, specifying roles and responsibilities. Define retention periods for access logs. Assign privileged, emergency, and administrator access on a need-to-use or ad-hoc basis, with automated solutions for privilege access management. Withdraw access rights promptly upon termination of employment or when no longer required. Conduct periodic reviews of access rights, ensuring at least annual reviews for non-critical ICT systems and semi-annual reviews for critical systems.