Content library
Access control and authentication
Reviewing password practices on password protected systems

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Creating and maintaining an access control policy
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
5
requirements

Examples of other requirements this task affects

40: Käyttövaltuuspolitiikka ja prosessi
Digiturvan kokonaiskuvapalvelu
2.6.1: Create guidelines for access control
NSM ICT-SP
2.6.2: Establish a formal process for administration of accounts, access rights and privileges
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Creating and maintaining an access control policy
1. Task description

To ensure authorized access and prevent unauthorized access to data and other related resources, the organization has defined and implemented clear rules for physical and logical access control.

Rules are implemented and enforced through several different tasks, but are also combined into an access control policy for clear communication and review.

All accounts, access rights and privileges should be traceable to the role responsible for them and the person who approved them.

Regular reviewing of data system access rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
30
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
24. Responsibility of the controller
GDPR
32. Security of processing
GDPR
9.2.5: Review of user access rights
ISO 27001
16 §: Tietojärjestelmien käyttöoikeuksien hallinta
TiHL
See all related requirements and other information from tasks own page.
Go to >
Regular reviewing of data system access rights
1. Task description

Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.

When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.

Use and evaluation of password management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
18
requirements

Examples of other requirements this task affects

9.3: User responsibilities
ISO 27001
9.3.1: Use of secret authentication information
ISO 27001
9.4.3: Password management system
ISO 27001
SEC-07: Password policy
Cyber Essentials
5.17: Authentication information
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Use and evaluation of password management system
1. Task description

The password management system allows the user in a registration situation to decide how complex a password is to be set this time and to remember it on behalf of the user.

When using the password management system, e.g. the following principles:

  • the system will force the use of unique passwords in the future
  • the system warns the user to change old recurring passwords
  • the system forces you to choose passwords that are complex enough, of high quality
  • the system forces the user to change the temporary password the first time they log on
  • the system forces you to change the password that may have been compromised in the data leak
  • the system prevents the same passwords from being reused
  • the system keeps password files separate from other data and strongly encrypted
Defining and documenting accepted authentication methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
36
requirements

Examples of other requirements this task affects

9.1.1: Access control policy
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Omavalvontasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting accepted authentication methods
1. Task description

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Use of multi-factor authentication for important data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
30
requirements

Examples of other requirements this task affects

9.1.1: Access control policy
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
PR.AC-7: User, device, and other asset authentication
NIST
SEC-05: Remote access user authentication
Cyber Essentials
See all related requirements and other information from tasks own page.
Go to >
Use of multi-factor authentication for important data systems
1. Task description

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Management of identification and access methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

4.1.1: Management of access methods
TISAX
See all related requirements and other information from tasks own page.
Go to >
Management of identification and access methods
1. Task description

The ogranisation must have defined requirements and procedure for handling of identification means over their entire lifecycle. Following have to be considered:

  • Creation, handover, return and desctruction
  • Validity periods
  • Tracebility
  • Handling of loss

The Identification means should be able to be produced only under controlled conditions.

If the access related to assets with high protection needs the validity of identification means should be limited to the needed time period and the plans to block or invalidate identification means in case off loss should be implemented and prepared.

Tietojenkäsittely-ympäristön toimijoiden tunnistaminen (TL III, ST III-II)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

TEK-08.5: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen - TL III
Julkri
I-07: MONITASOINEN SUOJAAMINEN – TIETOJENKÄSITTELY-YMPÄRISTÖN TOIMIJOIDEN TUNNISTAMINEN FYYSISESTI SUOJATUN TURVALLISUUSALUEEN SISÄLLÄ
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Tietojenkäsittely-ympäristön toimijoiden tunnistaminen (TL III, ST III-II)
1. Task description

Tietojenkäsittely-ympäristöjen toimijoiden tunnistamiselta edellytetään seuraavia lisätoimia:

  • Käytössä on vahva, vähintään kahteen tekijään perustuvaa käyttäjätunnistus
  • Päätelaitteet tunnistetaan teknisesti (laitetunnistus, 802.1X, tai vastaava menettely) ennen pääsyn sallimista verkkoon tai palveluun, ellei verkkoon kytkeytymistä ole fyysisen turvallisuuden menetelmin rajattu suppeaksi (esim. palvelimen sijoittaminen lukittuun laitekaappiin turva-alueen sisällä).

Tietyissä tilanteissa sähköisiä tunnistusmenelmiä voidaan korvata fyysisen turvallisuuden toimilla (esim. pääsy järjestelmään vain tiukasti rajatulta ja fyysisesti suojatulta alueelta, kuten lukittu laitekaappi, jota valvotaan vahvalla tunnistamisella). Nojattaessa fyysisen turvallisuuden menettelyihin, tulee myös fyysisen turvallisuuden menettelyjen täyttää jäljitettävyydelle asetetut vaatimukset erityisesti lokitietojen ja vastaavien tallenteiden säilytysaikojen suhteen. Tällöin varsinainen järjestelmään tunnistautuminen voi olla esim. käyttäjätunnus-salasana -pari.

Tietojärjestelmien tärkeimpien ylläpitotehtävien valvonta ja eriyttäminen (TL III)
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

TEK-07.5: Pääsyoikeuksien hallinnointi - TL III
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojärjestelmien tärkeimpien ylläpitotehtävien valvonta ja eriyttäminen (TL III)
1. Task description

Tietojärjestelmien kriittisimpiä ylläpitotehtäviä valvotaan riittävällä tarkkuudella.

Tarvittava tarkkuus valvonnassa ja tehtävien eriyttämisessä riippuu merkittävästi kyseessä olevan tietojärjestelmän käyttötapauksista. Useimmissa järjestelmissä riittävä eriyttäminen on toteutettavissa järjestelmän ylläpitoroolien ja lokien valvontaan osallistuvien roolien erottelulla toisistaan. Yleinen valvontamekanismi on myös vaatia kahden tai useamman henkilön hyväksyntä järjestelmän kriittisille ylläpitotoimille.

Käyttäjätunnusten lukittuminen toistuvista epäonnistuneista tunnistuksista
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

TEK-08.2: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
TEK-08.3: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Käyttäjätunnusten lukittuminen toistuvista epäonnistuneista tunnistuksista
1. Task description

Käyttäjien käyttäjätunnukset lukittuvat tilanteissa, joissa tunnistus epäonnistuu liian monta kertaa peräkkäin.

Tietojärjestelmien turvallisuusluokiteltujen tietojen erittely
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

TEK-07.2: Pääsyoikeuksien hallinnointi - pääsyoikeuksien rajaaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Tietojärjestelmien turvallisuusluokiteltujen tietojen erittely
1. Task description

Limiting access rights in accordance with the principle of least rights can reduce both intentional and unintentional actions, as well as the risks caused by, for example, malware.

Security-classified information in information systems is separated according to the principle of least rights by means of user rights and system handling rules or by other similar procedures.

Separation can be carried out:

  • separation at the logical level (e.g. servers virtualization and restricted network disk folders)
  • with reliable logical separation (e.g. approved encrypted virtual machines on customer-specifically reserved physical disks of the disk system, and approved encryption of data or communication on shared network devices)
  • with physical separation (physical disks reserved per data owner devices) (also suitable for higher security categories)
Hallintayhteyksien rajaaminen turvallisuusluokittain
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

TEK-04.5: Hallintayhteydet - yhteyksien rajaaminen turvallisuusluokittain
Julkri
I-04: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – HALLINTAYHTEYDET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Hallintayhteyksien rajaaminen turvallisuusluokittain
1. Task description

Hallintayhteydet on rajattu turvallisuusluokittain, ellei käytössä ole turvallisuusluokka huomioon ottaen riittävän turvallista yhdyskäytäväratkaisua.

Henkilökohtaiset tunnukset hallintayhteyksien käytössä
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

TEK-04.4: Hallintayhteydet - henkilökohtaiset tunnukset
Julkri
See all related requirements and other information from tasks own page.
Go to >
Henkilökohtaiset tunnukset hallintayhteyksien käytössä
1. Task description

Järjestelmien ja sovellusten ylläpitotunnuksien on oltava henkilökohtaisia. Mikäli henkilökohtaisten tunnusten käyttäminen ei kaikissa järjestelmissä tai sovelluksissa ole teknisesti mahdollista, edellytetään sovitut, dokumentoidut ja käyttäjän yksilöinnin mahdollistavat hallintakäytännöt yhteiskäyttöisille tunnuksille.

Hallintayhteyksien rajaaminen
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

TEK-04.3: Hallintayhteydet - vähimmät oikeudet
Julkri
I-04: TIETOJENKÄSITTELY-YMPÄRISTÖJEN SUOJATTU YHTEENLIITTÄMINEN – HALLINTAYHTEYDET
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Hallintayhteyksien rajaaminen
1. Task description

Hallintayhteydet on rajattu vähimpien oikeuksien periaatteen mukaisesti.

Hallintayhteyksien vahva tunnistaminen julkisessa verkossa
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

TEK-04.1: Hallintayhteydet - vahva tunnistaminen julkisessa verkossa
Julkri
See all related requirements and other information from tasks own page.
Go to >
Hallintayhteyksien vahva tunnistaminen julkisessa verkossa
1. Task description

Hallintapääsyn julkisesta verkosta tai muun käytettävän etähallintaratkaisun tulee edellyttää vahvaa, vähintään kahteen todennustekijään pohjautuvaa käyttäjätunnistusta.

Hallintayhteyksien suojaus on eräs kriittisimmistä tietojärjestelmien turvallisuuteen vaikuttavista tekijöistä. Tietojärjestelmiä, jotka eivät sisällä kriittisiä tietoja, voi kuitenkin olla perusteltua pystyä hallinnoimaan myös fyysisesti suojattujen turvallisuusalueiden ulkopuolelta. Tällöin etähallinta on tarpeen suojata etäkäyttöä kattavammilla turvatoimilla.

Authentication of identities and binding to user data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
9
requirements

Examples of other requirements this task affects

PR.AC-6: Proof of identity
NIST
ACCESS-1: Establish Identities and Manage Authentication
C2M2
4.1.3: Management of users in data systems
TISAX
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.
CyberFundamentals
PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Authentication of identities and binding to user data
1. Task description

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

Access rights are managed by the principle of the least privilege
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
8
requirements

Examples of other requirements this task affects

PR.AC-4: Access permissions and authorizations
NIST
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
CyberFundamentals
2.6.1: Create guidelines for access control
NSM ICT-SP
2.6.4: Minimise privileges for end users and special users
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Access rights are managed by the principle of the least privilege
1. Task description

Access to the organisation's systems is granted and managed according to principle of least privilege. No further access will be granted to the user when necessary.

The permissions will be checked and the need will also be reduced if the user has the rights user needed to perform the tasks but no longer needs them.


Limitation of privileged of utility programs in relation to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

9.4.4: Use of privileged utility programs
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Limitation of privileged of utility programs in relation to offered cloud services
1. Task description

When offering cloud services, the organisation should specify the requirements needed for use of utility programs in relation to the cloud service it provides.

Organisation should make sure that the use of utility programs that can bypass normal operating or security procedures is limited to authorized personnel. The use and usefulness of these utility programs should be reviewed regularly.

Limitation of privileged utility programs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

9.4.4: Use of privileged utility programs
ISO 27001
8.18: Use of privileged utility programs
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Limitation of privileged utility programs
1. Task description

Privileged utility programs are applications that require system or administrative privilege to do their jobs. Different kinds of utilities can include system utilities (e.g. malware protection), storage utilities (e.g. backup), file management utilities (e.g. encryption) or others (e.g. patching).

If use of privileged utility programs is permitted, the organisation should identify all privileged utility programs, also ones that are used in its cloud computing environment.

Organisation should ensure utility programs don’t interfere with controls of data systems hosted in any way (on-premises or cloud).

Features and instructions for access management in offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

PR.AC-1: Identity and credential management
NIST
9.2.2: User access provisioning
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Features and instructions for access management in offered cloud services
1. Task description

When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the users access rights to their account.

The organisation should also provide instructions and specifications for the use of the user management (e.g. help articles, FAQs), e.g. related to available authentication methods, single sign-on capabilities and different admin actions.

Features and instructions for user registration and de-registration in offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
6
requirements

Examples of other requirements this task affects

PR.AC-1: Identity and credential management
NIST
PR.AC-6: Proof of identity
NIST
9.2.1: User registration and de-registration
ISO 27017
9.2: User access management
ISO 27018
9.2.1: User registration and de-registration
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Features and instructions for user registration and de-registration in offered cloud services
1. Task description

When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the user registration and deregistration to the service. 

The organisation should also provide instructions and specifications for the creation / deletion of users (e.g. help articles, FAQs), e.g. related to different user levels, user invitation process and different admin actions.

Secure management of de-activated or expired user IDs
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
5
requirements

Examples of other requirements this task affects

A.11.10: User ID management
ISO 27018
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
2.6.2: Establish a formal process for administration of accounts, access rights and privileges
NSM ICT-SP
2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Secure management of de-activated or expired user IDs
1. Task description

De-activated or expired user IDs should never be re-used for other users.

This is relevant as a general administration principle for self-developed cloud services and all other utilized data systems, where other maintenance may be provided by a partner organization, but access / user ID management by the organization itself.

Total record of authorized users for offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

A.11.9: Records of authorized users
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Total record of authorized users for offered cloud services
1. Task description

The organization should maintain an up-to-date record of users who have authorized access to offered cloud services.

There should be a profile for each user that contains a set of data necessary (e.g user ID and other authentication information) to implement technical controls for providing authorized access.

Descriptions of different access rights management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
10
requirements

Examples of other requirements this task affects

ACCESS-1: Establish Identities and Manage Authentication
C2M2
I-06: VÄHIMPIEN OIKEUKSIEN PERIAATE – PÄÄSYOIKEUKSIEN HALLINNOINTI
Katakri 2020
4.5: Käyttöoikeuksien hallinta
TiHL tietoturvavaatimukset
4.2.1: Access Management
TISAX
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Descriptions of different access rights management processes
1. Task description

The organisation must manage all of it’s users and their privileges. This includes all third party users, which have access into the organisations data or systems.

The organisation must remove users entirely or remove privileges from them when they are no longer needed e.g when employee role changes.

Reviewing password practices on password protected systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
6
requirements

Examples of other requirements this task affects

SEC-06: Reviewing password practices on password protected systems
Cyber Essentials
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
2.6.7: Use multifactor authentication
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Reviewing password practices on password protected systems
1. Task description

To protect from e.g brute force attacks the organisation must use at least one of the following practices:

  • Account is locked after 10 failed login attempts
  • Limit for login attempts in 5 minutes is 10

In addition the following password practices should be in place:

  • Minimum length of a password should be at least 8
  • Passwords don’t have maximum length
  • Password is changed when it’s integrity is suspected or known to be compromised
Changing default passwords
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
3
requirements

Examples of other requirements this task affects

SEC-02: Changing default passwords
Cyber Essentials
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
2.3.7: Change all standard passwords on ICT products before deployment
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Changing default passwords
1. Task description

The organisation must change the default passwords on all of its devices (e.g. computers, network devices). The changed passwords must be hard to guess.

Minimizing and monitoring log data access
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Minimizing and monitoring log data access
1. Task description

The organization has to limit log access to authorized personnel only. Logs must log when they have been viewed and those logs have to be kept so, that log views can be identified.

Using unique user names
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
10
requirements

Examples of other requirements this task affects

PR.AC-6: Proof of identity
NIST
UAC-02: User authentication
Cyber Essentials
A.11.8: Unique use of user IDs
ISO 27018
TEK-04.4: Hallintayhteydet - henkilökohtaiset tunnukset
Julkri
TEK-08.1: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
See all related requirements and other information from tasks own page.
Go to >
Using unique user names
1. Task description

The organization must use unique usernames in order to associate users and assign responsibility for them.

Shared usernames are not allowed and users are not allowed to access information systems until a unique username is provided.

Approval process that includes the customer for high-risk administrator rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Approval process that includes the customer for high-risk administrator rights
1. Task description

The organization must have policies and procedures in place that allow the customer to participate, if possible, in the process of approving high-risk administrator rights.

Roolipohjaisista käyttöoikeuksista poikkeamien käsittely
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Omavalvontasuunnitelma
6.7: Käyttövaltuuksien hallinnan ja tunnistautumisen käytännöt
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Roolipohjaisista käyttöoikeuksista poikkeamien käsittely
1. Task description

Poikkeamat roolikohtaisista oikeuksista tulee asianmukaisesti hyväksyä ja dokumentoida.

Instructions for reporting changes affecting access rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
12
requirements

Examples of other requirements this task affects

9.2.6: Removal or adjustment of access rights
ISO 27001
I06: Pääsyoikeuksien hallinnointi
Katakri
PR.AC-1: Identity and credential management
NIST
TEK-07.3: Pääsyoikeuksien hallinnointi - pääsyoikeuksien ajantasaisuus
Julkri
5.18: Access rights
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Instructions for reporting changes affecting access rights
1. Task description

Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.

Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.

Rules and formal management process for admin rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
20
requirements

Examples of other requirements this task affects

9.2.3: Management of privileged access rights
ISO 27001
TEK-04.4: Hallintayhteydet - henkilökohtaiset tunnukset
Julkri
8.2: Privileged access rights
ISO 27001
CC6.1b: Logical access control for protected information assets
SOC 2
CC6.3: Management of access to data based on roles and responsibilities
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Rules and formal management process for admin rights
1. Task description

Admin rights are managed through a formal process aimed at limiting the allocation of admin rights and controlling their use.

Regarding admin rights:

  • expiration requirements are defined
  • admin rights are granted only to usernames not used for normal everyday use
  • normal day-to-day use may not be performed with an admin account
Defining and documenting access roles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
45
requirements

Examples of other requirements this task affects

5. Principles relating to processing of personal data
GDPR
25. Data protection by design and by default
GDPR
9.1: Business requirements of access control
ISO 27001
9.1.1: Access control policy
ISO 27001
9.1.2: Access to networks and network services
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Defining and documenting access roles
1. Task description

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

  • how much information each user needs access to
  • how widely the user should be able to edit data (read, write, delete, print, execute)
  • whether other applications have access to the data
  • whether the data can be segregated within the property so that sensitive data is less exposed
Enabling multi-factor authentication for all users
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
17
requirements

Examples of other requirements this task affects

9.3: User responsibilities
ISO 27001
9.3.1: Use of secret authentication information
ISO 27001
PR.AC-7: User, device, and other asset authentication
NIST
UAC-04: Two factor authentication
Cyber Essentials
44: Monivaiheinen tunnistus etäkäytössä
Digiturvan kokonaiskuvapalvelu
See all related requirements and other information from tasks own page.
Go to >
Enabling multi-factor authentication for all users
1. Task description

Multi-factor authentication (MFA) helps protect devices and data. To apply it, users must have more information in the identity management system than just an email address - for example, a phone number or an attached authenticator application (e.g. Microsoft, Google, or LastPass Authenticator).

Use of dedicated admin accounts in critical data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
18
requirements

Examples of other requirements this task affects

9.2.3: Management of privileged access rights
ISO 27001
UAC-05: Administrative account usage
Cyber Essentials
TEK-07.2: Pääsyoikeuksien hallinnointi - pääsyoikeuksien rajaaminen
Julkri
8.2: Privileged access rights
ISO 27001
CC6.3: Management of access to data based on roles and responsibilities
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Use of dedicated admin accounts in critical data systems
1. Task description

Especially in the main identity management systems (e.g. Microsoft 365, Google), administrator accounts have very significant rights. These accounts are often the target of scammers and attacks because of their value. For this reason, it is useful to dedicate administrator accounts to administrative use only, and to not use these accounts for everyday use or, for example, when registering with other online services.

Using multi-factor authentication for admins
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
19
requirements

Examples of other requirements this task affects

9.1.1: Access control policy
ISO 27001
9.2.3: Management of privileged access rights
ISO 27001
PR.AC-7: User, device, and other asset authentication
NIST
UAC-04: Two factor authentication
Cyber Essentials
TEK-04.1: Hallintayhteydet - vahva tunnistaminen julkisessa verkossa
Julkri
See all related requirements and other information from tasks own page.
Go to >
Using multi-factor authentication for admins
1. Task description

Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.

For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).

Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.

Avoiding and documenting shared user accounts
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
12
requirements

Examples of other requirements this task affects

32. Security of processing
GDPR
9.2.4: Management of secret authentication information of users
ISO 27001
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
TEK-08: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
5.16: Identity management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Avoiding and documenting shared user accounts
1. Task description

Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.

If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.

Managing shared user credential through password management system
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
5
requirements

Examples of other requirements this task affects

9.2.4: Management of secret authentication information of users
ISO 27001
9.4.3: Password management system
ISO 27001
5.17: Authentication information
ISO 27001
2.6.1: Create guidelines for access control
NSM ICT-SP
2.6.5: Minimise privileges for management accounts
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Managing shared user credential through password management system
1. Task description

One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.

In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.

Analyzing authentication processes of critical systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
16
requirements

Examples of other requirements this task affects

9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, device, and other asset authentication
NIST
SEC-05: Remote access user authentication
Cyber Essentials
9.4: System and application access control
ISO 27017
9.4.2: Secure log-on procedures
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Analyzing authentication processes of critical systems
1. Task description

The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

  • logging in does not reveal the associated application until the connection is established
  • the login does not display help or error messages that would assist an unauthorized user
  • logging in will only validate the data once all the data has been entered
  • login is prevented from using fatigue attacks
  • login logs failed and successful login attempts
  • suspicious login attempts are reported to the user
  • passwords are not sent as plain text online
  • the session does not continue forever after logging in
Need to know -principle in access management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
18
requirements

Examples of other requirements this task affects

9.1.1: Access control policy
ISO 27001
I06: Pääsyoikeuksien hallinnointi
Katakri
PR.AC-4: Access permissions and authorizations
NIST
HAL-02.1: Tehtävät ja vastuut - tehtävien eriyttäminen
Julkri
HAL-14: Käyttö- ja käsittelyoikeudet
Julkri
See all related requirements and other information from tasks own page.
Go to >
Need to know -principle in access management
1. Task description

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.

Certificate based authentication for system-to-system communication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Certificate based authentication for system-to-system communication
1. Task description

The automatic communication between systems should be secured with digital certificates. Digital certificates are used to identify the connecting device before granting access to the system. Secure key policy must also be taken into account here.

Document the identity life cycle management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Document the identity life cycle management processes
1. Task description

Document the identity life cycle management processes. Documentation should include the following things:

  • The process of creating an identity
  • How identities are maintained
  • The process of deactivating an identity


Use a centralised tool to check password quality
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Use a centralised tool to check password quality
1. Task description

Use a centralized tool to check password quality against the organisation’s security requirements. As a minimum, it should be avoided using common words and names in employees' native language and English as well as years and seasons.

Reusing identities across systems, sub-systems and applications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

2.6.1: Create guidelines for access control
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Reusing identities across systems, sub-systems and applications
1. Task description

Reuse identities whenever one can across systems, sub-systems and applications. Ideally this would be done with single sign-on.

Using trust-based access control
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

2.2.6: Control access to services based on knowledge of users and devices
NSM ICT-SP
2.5.2: Restrict access to internal services from external locations
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Using trust-based access control
1. Task description

Control access to services based on knowledge of users and devices.

One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).

Using trust-based access control
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Using trust-based access control
1. Task description

Control access to services based on knowledge of users and devices.

One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).

Document the identity life cycle management processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

2.6.2: Establish a formal process for administration of accounts, access rights and privileges
NSM ICT-SP
2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Document the identity life cycle management processes
1. Task description

Document the identity life cycle management processes. Documentation should include the following things:

  • The process of creating an identity
  • How identities are maintained
  • The process of deactivating an identity


Protecting credentials and Identity Assertions
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Protecting credentials and Identity Assertions
1. Task description

The organization defines and implements protections for login data and identity assertions such as:

  • Protecting login data and identity assertions, including authentication and user information, during transmission by using strong encryption methods such as TLS.
  • Identity assertions and login data at rest are secured with cryptographic methods to protect data stored in databases or authentication systems.
  • Using digital signatures and validating them to ensure the integrity and authenticity of login and identity assertions across all environments, especially in Single Sign-On (SSO) and federated systems.
  • Following standards-based approaches such as SAML, OAuth and OpenID Connect for generating, protecting, and verifying identity assertions in all organizational contexts and environments.
Zero trust architecture in authentication
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Zero trust architecture in authentication
1. Task description

Organization implements and maintains zero trust in authentication across its systems and hardware. At least these controls should be considered in authentication:

  • Implement periodic reauthentication for users, services, and hardware based on risk levels and activity patterns
  • Use contextual factors such as user roles, device health, location, and access behavior to determine the frequency and requirements for reauthentication.
  • Each hardware's, service's and user's integrity, identity and authenticity should be confirmed, access denied by default and access granted based on the least privileges
  • Integrate multi-factor authentication (MFA) as a mandatory step in authentication and reauthentication processes
Disabling default accounts
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Disabling default accounts
1. Task description

Enhance security by disabling default accounts on enterprise systems or making them unusable. This practice involves either completely disabling these accounts or changing default credentials and permissions to prevent unauthorized access, reducing the risk of exploitation by attackers who may target known default settings

Enforcing an automatic device lockout on portable end-user devices
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Enforcing an automatic device lockout on portable end-user devices
1. Task description

To enforce automatic device lockout on portable end-user devices after a predetermined number of failed authentication attempts, the organization adopts several strategies. For laptops, the strategy involves reviewing password practices to implement a limit of 20 failed attempts before lockout. For tablets and smartphones, security policies are set to lock devices after 10 failed attempts. The implementation is supported by mobile device management (MDM) solutions, which enforce these security policies across devices.

Process for establishing and maintaining an inventory of accounts
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Process for establishing and maintaining an inventory of accounts
1. Task description

To establish and maintain an inventory of accounts within the enterprise, the organization implements several key practices. This includes maintaining a centralized record of access rights, which covers user, administrator, and service accounts to ensure a comprehensive inventory. The inventory is detailed with information such as the individual's name, username, start and stop dates, and department, adapted from documentation practices for data sets.

Using unique passwords
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Using unique passwords
1. Task description

A password management system ensures that each account has a unique password. For accounts using Multi-Factor Authentication (MFA), the policy sets a minimum password length of 8 characters. In contrast, accounts not protected by MFA are required to use complex passwords with a minimum of 14 characters to enhance security. These guidelines are part of a broader strategy to maintain password uniqueness and complexity, tailored according to the presence or absence of MFA.

Requiring MFA for remote network access
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Requiring MFA for remote network access
1. Task description

MFA is used for administrative access from public networks or through remote management solutions, ensuring strong authentication that uses at least two factors.

MFA is required for accessing important data systems, employing examples like combining a password with a one-time authentication code sent via text message. These measures ensure that remote network access is secured by verifying user identity with multiple factors, thereby enhancing security for sensitive systems and data.

Centralizing access control
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Centralizing access control
1. Task description

By defining and documenting accepted authentication methods like Google or Microsoft 365 accounts, the organization uses centralized authentication accounts to efficiently manage a large number of access rights. A centralized record of users’ access rights to data systems and services is maintained, which facilitates the management and auditing of these rights.

Unified access management ensures that closing a central authentication account simultaneously revokes multiple access rights, streamlining the process of access termination when employees leave the organization or change roles.

Using of DNS filtering services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Using of DNS filtering services
1. Task description

By utilizing DNS filtering, the organization can detect and block access to potentially dangerous sites, thereby protecting users from known threats.

DNS filtering is network segmentation and filtering practice, which ensure that only safe and approved DNS queries are permitted.

Deploying and maintaining anti-malware protections of email server
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Deploying and maintaining anti-malware protections of email server
1. Task description

Email and download scanning protocols are established to ensure that malware detection software thoroughly scans all email attachments and downloaded files.

Anti-malware software is configured for automatic file scanning whenever files are downloaded, opened, or accessed from network storage, ensuring immediate scanning of email attachments upon receipt.

Using behavior-based anti-malware software
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Using behavior-based anti-malware software
1. Task description

Anti-malware software is configured to perform automatic file scans when files are downloaded, opened, or accessed from network storage, with an adaptation to include behavior detection capabilities to identify suspicious activities.

Deploying malware protection systems from multiple vendors allows the organization to enhance its detection capabilities by leveraging diverse behavior-based detection tools.

Enforcing MFA for external applications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Enforcing MFA for external applications
1. Task description

The organization has strengthened security by enforcing multi-factor authentication (MFA) for all external applications, integrating it with a central directory or SSO, ensuring third-party compatibility, educating users on its importance, and monitoring compliance through regular reporting.

Enforcing MFA for administrative access
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Enforcing MFA for administrative access
1. Task description

The organization has bolstered security by implementing multi-factor authentication (MFA) for all administrative access accounts across both on-site and service provider-managed assets, ensuring configurations support MFA, training administrators on its use, and regularly reviewing compliance with MFA policies.

Establishing and maintaining an inventory of the enterprise’s authentication systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining an inventory of the enterprise’s authentication systems
1. Task description

The organization has established a comprehensive inventory of all authentication and authorization systems, including those on-site and with remote providers, and uses automated tools and regular reviews to ensure accurate, up-to-date tracking and management of these systems.

Secure identification of systems with admin-rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
3
requirements

Examples of other requirements this task affects

TEK-08: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
2.6.4: Minimise privileges for end users and special users
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Secure identification of systems with admin-rights
1. Task description

The organization must use digital certificates or other similar arrangements to achieve a strong level of authentication equivalent to multi-step authentication for system identities handling maintenance rights or sensitive information.

Käyttöoikeuspyyntöjä hyväksyvien henkilöiden ja roolien määrittely
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Omavalvontasuunnitelma
6.7: Käyttövaltuuksien hallinnan ja tunnistautumisen käytännöt
Tietoturvasuunnitelma
See all related requirements and other information from tasks own page.
Go to >
Käyttöoikeuspyyntöjä hyväksyvien henkilöiden ja roolien määrittely
1. Task description

Organisaatio on määritellyt roolit, joissa toimivat henkilöt voivat hyväksyä käyttöoikeuspyyntöjä. Organisaatio on lisäksi määritellyt, kuinka dokumentoidaan muut henkilöt, jotka voivat hyväksyä käyttöoikeuspyyntöjä.

Centralized record of user's access rights to data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
11
requirements

Examples of other requirements this task affects

9.2.2: User access provisioning
ISO 27001
HAL-14.1: Käyttö- ja käsittelyoikeudet - ajantasainen luettelo - TL III
Julkri
21.2.i (access): Access control
NIS2
9.7 §: Pääsynhallinta, todentaminen ja MFA
Kyberturvallisuuslaki
2.6.3: Use a centralised tool to manage accounts, access rights and privileges
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Centralized record of user's access rights to data systems
1. Task description

The organization maintains a centralized record of the access rights granted to each user ID to data systems and services. This recording is used to review access rights at times of employment change or in the onboarding process of new colleagues joining the same role.

Implementing formal access control processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
16
requirements

Examples of other requirements this task affects

9.1.1: Access control policy
ISO 27001
5.15: Access control
ISO 27001
21.2.i (access): Access control
NIS2
6.7: Käyttövaltuuksien hallinnan ja tunnistautumisen käytännöt
Tietoturvasuunnitelma
4.1.2: Security of authentication
TISAX
See all related requirements and other information from tasks own page.
Go to >
Implementing formal access control processes
1. Task description

To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:

  • User registration and deletion
  • Allocation of access rights
  • Reassessment of access rights
  • Deleting or changing access rights

The implementation of these things must always take place through a defined, formal process.

Preventing outdated authentication methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
1
requirements

Examples of other requirements this task affects

2.3.7: Change all standard passwords on ICT products before deployment
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Preventing outdated authentication methods
1. Task description

By blocking the use of outdated authentication methods, we can make it more difficult for attackers to gain unauthorized access. For example, in a Microsoft 365 environment, Office applications in the 2013 model support outdated authentication methods by default (for example, Microsoft Online Sign-in Assistant), but you can prevent this by creating a policy that prevents these outdated authentication methods.

Credentials are not transmitted via email
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
3
requirements

Examples of other requirements this task affects

9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Credentials are not transmitted via email
1. Task description

Credentials should be securely transmitted to users. delivery of a password or through unprotected external party (plaintext) e-mail message should be avoided.

Separate approval process for high confidentiality access
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
2
requirements

Examples of other requirements this task affects

4.2.1: Access Management
TISAX
See all related requirements and other information from tasks own page.
Go to >
Separate approval process for high confidentiality access
1. Task description

The granting of access rights in the organisation related to high confidentiality access can only be approved by the internal owner of the related high confidentiality information.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.