The organisation understands, documents and manages access to systems and functions supporting the delivery of essential services. Users (or automated functions) that can access data or services are appropriately verified, authenticated and authorised.
It is important that the organisation is clear about who (or what in the case of automated functions) has authorisation to interact with the network and information system of an essential service in any way or access associated sensitive data. Rights granted should be carefully controlled, especially where those rights provide an ability to materially affect the delivery of the essential service. Rights granted should be periodically reviewed and technically removed when no longer required such as when an individual changes role or perhaps leaves the organisation.
Users, devices and systems should be appropriately verified, authenticated and authorised before access to data or services is granted. Verification of a user’s identity (they are who they say they are) is a prerequisite for issuing credentials, authentication and access management. For highly privileged access it might be appropriate to include approaches such as two-factor or hardware authentication.
Unauthorised individuals should be prevented from accessing data or services at all points within the system. This includes system users without the appropriate permissions, unauthorised individuals attempting to interact with any online service presentation or individuals with unauthorised access to user devices (for example if a user device were lost or stolen).
Identity and access management
The Introduction to identity and access management sets out security fundamentals that operators should consider in designing and managing identity and access management systems. Identity and access control should be robust enough that essential services are not disrupted byunauthorised access.
In addition to technical security, operators should protect physical access to networks and information systems supporting the essential service, to prevent unauthorised access, tampering or data deletion. Some operators may already have physical security measures in place to comply with other regulatory frameworks. See CPNI guidance for further information.
BS ISO/IEC 27002:2013 section 9
BS IEC 62443-2-1:2011
NIST Identity and Access Management publications, e.g. SP 800-63 suite “Digital Identity Guidelines”