Valid until: 2025-04-10
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Updated broken link for Asset Overview. Updated Research Support responsibilities under 9.1.1. Updated all ST and AAD terms to RST and Entra ID, respectively. Added the use of Google Workspace accounts for business processes. |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the access control policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To limit access to information and information processing facilities (A.9.1).
To ensure authorised user access and to prevent unauthorised access to systems and services (A.9.2).
To make users accountable for safeguarding their authentication information (A.9.3).
To prevent unauthorised access to systems and applications (A.9.4).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
“Users shall only be provided with access to the network and network services that they have been specifically authorised to use.”
When granting access to information, the ‘least-privileged’ principle applies. This means that access is only granted if an employee needs it to perform his/her job. As few rights as possible are granted and those rights will be granted for as short a period of time as possible.
If possible, Role Based Access Control (RBAC) will be applied.
Registration:
anDREa has a complete overview of all assets of the infrastructure to which access must be granted to employees. This is registered in anDREa People - Asset Overview.
anDREa has designated a Responsible for each asset. The Asset Responsible is responsible for adequate maintenance and management. This is registered in anDREa People - Asset Overview.
For each asset there is an overview of the different types of permissions (roles) that can be assigned to users. This is registered in anDREa People - Asset Overview.
Responsibilities:
For access to anDREa assets:
Access is issued by the Asset Responsible based on the least-privileged principle. A list of applications and assets that anDREa has in use is registered in anDREa People - Asset Overview.
For support on the myDRE environment:
The support team of anDREa creates guest user accounts in the Microsoft Entra ID for mandated Research support team (RST) members of the customers. RST member responsibilities can be found here: (Core) Support Team profile.
RST members are required to sign and understand the RST-agreement and complete the RST-training and quiz to demonstrate the relevant knowledge. The Security Officer ensures that these components are completed before requesting access to the Entra ID. anDREa is responsible for training the RST members before access to the Entra ID and administrator access to Zohodesk is granted. anDREa B.V. is not involved in the creation of Workspaces, submitting user account requests and inviting users to Workspaces.
The RST member(s) of the customers are assigned a Privileged Identity Management (PIM) role for a specific part of the Entra ID where they can edit myDRE accounts, delete myDRE accounts and reset passwords. PIM activations are reviewed monthly and discussed during ISMB meetings.
“A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services.”
New anDREa employees and contractors, and Tenant-appointed Research Support Team members are onboarded and offboarded via anDREa’s ticketing system in the ‘On- and offboarding’ department. These tickets start an automatic workflow that assigns tasks to Asset Responsibles to follow up.
Tasks include but are not limited to granting and revoking access to assets and accounts.
myDRE end users:
Access to myDRE workspaces is provided by the Workspace Accountable. This is usually a Principal Investigator, department head or project leader. Assigning an Workspace Accountable upon Workspace creation is the responsibility of the relevant ST member.
Users can request workspace creation and the assignment of an Accountable via support.mydre.org, followed by the selection of their organisation and filling in the appropriate ticket form.
The Workspace Accountable and other invited Workspace users are automatically assigned RBAC to the resources related to their own Workspace.
anDREa does not provide access to Workspaces unless specifically requested by an authorised person.
Access is issued by the Asset Responsible (administrator of the specific asset) based on the least-privileged principle. A list of environments that anDREa uses is registered in anDREa People - Asset Overview. This overview also shows the permissions of the particular person.
Users with privileged access rights in the anDREa Entra ID are trained before gaining the privileged access rights. The completion of the training is recorded in the associated Zoho tickets.
The Research Support team of anDREa creates guest user accounts in the Entra ID for mandated Research Support team (RST) members of the customers. ST member responsibilities can be found here: (Core) Support Team profile.
RST members are required to sign and understand the ST-agreement and complete the ST-training and quiz. anDREa B.V. is responsible for training the ST members before access to the Entra ID and anDREa’s ticketing system is granted. anDREa B.V. is not involved in the creation of workspaces, user account submissions and inviting users to Workspaces.
Working in the Entra ID requires the activation of the appropriate role assignment in Azure Privileged Identity Management (PIM).
PIM activations are reviewed monthly and discussed in the monthly Information Security Management Board (ISMB) meetings when deviations are observed.
myDRE end users:
myDRE users only have access to the workspaces of which they are a member.
Workspace access and the use of the associated resources are controlled via RBAC.
“The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.”
In case of offboarding and associated revoking of permissions, an offboarding workflow is initiated via a Zoho ticket in the ‘On- and offboarding’ department, which assigns tasks to the appropriate Asset Responsible.
“Password management systems shall be interactive and shall ensure quality passwords.”
Employees of anDREa are issued an @mydre.org account (with relevant Microsoft 365 licences) for myDRE platform-related processes and have to set up their own password that is compliant with the Password policy. MFA is enforced for all accounts. Access to assets is role-based and access will be granted by the relevant Asset Responsible. It is advised to make use of a password manager, either a free version or a licensed version issued by anDREa.
Users of the myDRE platform are only issued an @mydre.org username (without Microsoft 365 licences) and a temporary password. Upon the first login, the password has to be changed to a password that is compliant with the Password policy. Users are allowed to change their password if they know their current password. Users are not allowed to perform a password reset. Password resets need to be requested via a ticket on support.mydre.org. The newly generated password will be communicated to the user separate from the username and application URL. User password resets require PIM role activation by RSTs or anDREa Support Team.
anDREa People - Asset Overview (authorised personnel only):
Overview of assets used at anDREa.
Overview of access per asset.
Role/permissions overview.
Relevant tickets:
Logging of performed access review(s) (authorised personnel only).
PIM reviews (authorised personnel only).
Effectiveness criteria (authorised personnel only).
List of privileged utility programs (authorised personnel only).