Minimum security controls for data protection

The following technical measures need to be implemented across government institutions in order to comply with the Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy:

a)    Role-Based Access Control (RBAC)  [Mandatory] -  RBAC should be used as the method of restricting system access to authorized users based on their role within the organization. With RBAC, an institution can grant specific access privileges to employees based on their job responsibilities. 
b)    Multi-Factor Authentication (MFA) [Recommended] -  MFA is a method of authentication that requires users to provide two or more authentication factors to access a system. This provides an additional layer of security beyond a simple password. 
c)    Password Policies [Mandatory] - Password policies can help ensure that employees create strong, unique passwords and change them regularly. This can help prevent unauthorized access to systems and personal data. 
d)    Network Segmentation [Recommended] -  Network segmentation is the practice of dividing a network into smaller sub-networks, which can be secured separately. This can help prevent unauthorized access to personal data and limit the potential impact of a security breach. 
e)    Access Logs and Monitoring [Mandatory] -  Institutions should maintain logs of system access and monitor these logs for any suspicious activity. This can help identify and respond to potential security incidents in a timely manner. 
f)    Privileged Access Management (PAM)[Recommended] - PAM is a set of technologies and practices that help control and monitor access to systems and data by privileged users. This can help ensure that privileged users, such as system administrators, do not abuse their access privileges or compromise personal data.