ISMS Compliance
CyFun BasicProtect

PR.AC-3: Remote access management

Remote access is managed

PROTECTPR.AC-3Key Measure

Requirement

The organisation's wireless access points shall be secured. When accessed remotely, the organisation's networks shall be secured, including through the use of multi-factor authentication (MFA).

Our Implementation

All access to organisational systems is remote by design — there are no on-premise networks or wireless access points to secure. Authentication to cloud platforms uses Google Workspace SSO with MFA enforced at the identity provider level. Services that do not support SSO use OAuth-based authentication or API keys with restricted scope.

All remote connections are secured via TLS 1.2+ (HTTPS). The architecture is cloud-native, eliminating the need for VPN — all services are accessed over encrypted internet connections with identity-based access controls rather than network-perimeter security.

Gaps / Planned improvements:

  • SSO not yet enabled on all platforms — legacy email/password accounts pending migration (NEX-344)

Evidence

Partially ImplementedL2 — Repeatable

PR.AC-2: Physical access management

Physical access to assets is managed and protected

PR.AC-4: Access permissions

Access permissions and authorisations are managed with least privilege and separation of duties

On this page

RequirementOur ImplementationEvidence