Access management according to BSI

But first: Who or what is the BSI?

BSI is the abbreviation for the Federal Office for Information Security. The central IT security service provider of the federal government in German accompanies the topic of information security through prevention, detection and reaction. The specifically formulated main tasks of the BSI are to inform, advise, develop and certify.

What does access management mean according to the BSI?

A definition of access management can be found in the IT-Grundschutz Methodology of the BSI:

ORP.4 / 1.1:

Access management is about whether and how users or IT components are allowed to access and use information or services, i.e. to grant or deny them access, entry or access based on the user profile. Access management refers to the processes required to assign, revoke and control access rights.

Access management according to BSI – how to do it correctly?

The BSI specifies several requirements that must be considered in access management. Thus:

• User set-ups and deletions must be carried out by a separate administrative unit
• Access rights must be assigned according to daily needs and rights that are no longer required must be removed directly
• Access authorisations and their changes must be documented
• Documentation of assigned access rights and roles is carried out regularly to ensure that it is up to date.
• The use of passwords should be standardised and binding within the company, and the same password should not be used for different systems.
• Passwords must be resettable by means of a secure procedure.