Discover the 8 Crucial Identity Security Controls for NIS2 Compliance. Learn how to take provable control of user access and secure your IT infrastructure.
The NIS2 Directive enhances EU cybersecurity by expanding its scope and enforcing stricter identity and access management (IAM) requirements. It aims to streamline reporting and create consistent rules across sectors, requiring more organizations to implement user access controls as part of their cybersecurity strategy.
NIS2 impacts a broader range of industries, classifying entities as essential or important, with clear security and incident reporting requirements that emphasize IAM.
Find the all information regarding the NIS2 Directive on the page of the Centre for Cybersecurity Belgium (CCB).
With the NIS2 directive approaching, provable control over user access is essential. Effective Identity and Access Management (IAM) helps organizations manage complex IT environments and meet compliance requirements.
How do you know if you’re in control? And how can you prove it?
These controls not only protect sensitive data but also demonstrate control over access, ensuring privacy and cybersecurity in line with NIS2 standards.
The answer to this challenge lies in establishing identity governance processes—for requesting, approving, and reviewing employees' access. These processes are critical for maintaining NIS2 compliance and operational efficiency, but they don’t necessarily ensure that you are truly in control of users and their access.
These questions are why we wrote this guide. Reporting on your identity security controls and identifying potential risks or gaps remains a significant challenge.
Based on our experience and frameworks such as ISO 27001 and NIS2, we’ve compiled a set of crucial identity security controls you should measure to ensure you’re in control—and to prove that you are.
What? Accounts that are no longer active or have no owner.
Orphaned accounts form an interesting path for hackers to gain access to organization resources, applications or systems. Organizations that fail to take the necessary steps to close these entry points leave the door on a jar for attackers, and expose themselves to unnecessary risk. By identifying and cleaning up these accounts, security risk is reduced significantly.
Moreover, tracking orphaned accounts can provide insights to improve operational efficiency. When an employee leaves the organization or when a contractor’s project has ended, their accounts must be deactivated (i.e. disabled). This should be part of the typical offboarding process. However, in practice, it happens that those accounts are incorrectly deactivated or not deactivated at all. By finding out why these accounts were not deactivated, the offboarding processes can be improved.
What? Accounts that have significantly more access rights than ordinary accounts. They exist in many forms and shapes.
Privileged accounts give significant access to organization resources and sensitive data, or can change or disable (security) systems. When not properly managed and monitored, privileged accounts pose significant security risks.
These risks could come from all sides: malicious ‘outsiders’ such as hackers, or careless or disgruntled ‘insiders’. It’s impossible to eliminate all privileged accounts. You need them. But it’s good practice to keep an eye on them and keep them to a minimum.
What? Users that have accumulated far more access rights than they need to do their job.
The cumulated access rights and permissions of all your users together determine the attack surface size of your organization. Unfortunately, there’s often a gap between the granted access rights and the required access rights. This indicates that users have too many access rights, unnecessarily enlarging the identity attack surface.
What? Identity clutter. Accounts that are not orphaned, but are just as unnecessary and make identity management less manageable.
A well-maintained IT environment is better protected against information security risks. Applying good practice to users not only helps to prevent risks, but it also contributes to operational efficiency as it leads to a more structured environment and needs considerably less effort compared to a situation where you periodically have to clean up the mess. In other words: prevention is better than the cure.
What? Role clutter. Roles that are no longer necessary and only make role management more cumbersome.
Using roles to control access can greatly increase efficiency. However, if the role model is no longer manageable because of role proliferation for example, operational efficiency declines. Moreover, people might be assigned an outdated or wrong role and thus wrong access rights.
What? Poor data quality issues based on factors such as accuracy, completeness, consistency and reliability.
Garbage in is garbage out. Simple as that. In order to get accurate results - for any of the indicators or your governance processes -, data quality is crucial. The indicators will only reflect the actual state if the identity data is accurate and complete. Basing your decisions on incorrect indicators can have negative consequences.
What? Accounts that violate SoD rules and SoD policy coverage.
Separation of duties is a crucial control for avoiding fraud by disseminating sensitive tasks and the required roles, entitlements or permissions. These combinations of permissions are often modelled as "toxic combinations". In addition to fraud, SoD is also implemented for security reasons or for sake of regulation.
What?
Specific internal policies.
To measure whether the internal policies are complied with.
This guide bundled a set of 8 crucial indicators that help you to measure whether you are in control and to prove that you are.
✅ 8 Essential Identity Security Controls
✅ Report on your users and access
✅ Based on NIS2-Framework
Elimity provides security teams with a one-time analysis of your users and their accesses with comprehensive reporting on identity risks, ensuring NIS2 and ISO 27001 certification proof, and delivered in just two weeks.
.png?width=300&height=169&name=Computer%20Screens%20(6).png)
✅ One-time analysis of your users and access
✅ Identify your top identity risks
✅ NIS2 and ISO 27001 certification proof
✅ 2-week access to all features
Inetum partners with Elimity to expand its digital identity services. Learn how Elimity takes control of users and access to comply with NIS2.
Cloud security is about knowing your critical information assets and managing access to them. Hence, access management in the cloud is paramount for...
All organisations need to protect their critical infrastructure and applications. Quite a challenge when IT assets are often outside control of IT.