An identity is the virtual representation of a person or a system. It is important that the person or system can be matched securely and unambiguously.
Persons joining the company
When a person is joining the company, that person is identified by an official document stating the nationality, full name and identification number (BSN) for that person. This information is stored by the Human Resource department in a secure vault.
The Human Resource department will issue a request for creating one or more identities for this person, where each identity is only to be used by that person.
For each identity provider, a login procedure is provided to the individual on the first working day, including a single-use secret.
Persons leaving the company
When a person is leaving the company, the Human Resource department will issue a request for all identity providers to disable the usage for that specific customer, effective immediately at the end of the working shift on the last active working day, or sooner when applicable.
Persons leaving procedure
Within 24 hours after a person has left active service, it must be impossible for this person to use company assets. The procedure to fully restrict access:
- Create a maintenance work item for DevOps with a target date that reflects the leaving of the person as soon as the date of leaving is defined.
- Inform one of the DevOps Operators (Infra department and the Data Protection Officer.)
- The DevOps Operators will makes sure that all accounts are disabled on the agreed time schedule.
- The maintenance work item will contain a list of all identity providers containing a user account for the person leaving, with a confirmation of disabling the account.
- The DevOps Operator will put the maintenance work item in review state.
- The requestor will verify that access for the employee has been fully restricted. When verified, the work item state will be put to “Requestor Approved”.
- The DPO will collect the company assets (laptop, office key, etc.) from the employee on the last working day. These items will be named in the work item.
- The DPO will explicitly inform the employee that the possession and use of company data and assets is strictly forbidden, that this data and assets must be returned at the earliest possibility and that failing to apply will lead to legal actions against the (former) employee.
- The DPO completes the maintenance work item and will put it to “Closed”.
It is forbidden for employees to share identities with other persons or systems. Sharing a personal identity will lead to an official warning.
Personal identities can always be related to a natural person and can not be shared. A person can be authenticated by providing credentials (username & password), a security token or a combination of both (Multi Factor Authentication). Personal Identities get access to systems based on the least privilege principle.
Operator / administrator identities
For operational reasons, elevated access to systems might be needed. Operator identities can always be related to a natural person and can not be shared. A person can be authenticated by providing a combination of credentials (username & password) and a security token (Multi Factor Authentication). Access to elevated access should be as short as possible, time restricted and logged, in order to enable controlling with providing an access and action trail.
System identities can be shared within instances of the same functionalities. Best practice is to provide a unique identity per functionality type, where secrets are stored in a security vault.
Authentication providers, also named identity providers, should adhere to the latest industry standards. Accessing system functionality can be secured by a system-specific authentication method, but using external, certified providers is preferred.
Whenever sensitive system access is needed, meaning access to production systems or production data, by individuals, time-restricted multi-factor authentication should be standard.