The organization shall perform a documented risk assessment on organization's critical system transactions and authenticate users, devices, and other assets (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
Guidance
Consider a security-by-design approach for new systems; For existing systems a separate risk assessment
should be used.
The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.
In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.
The organization has predefined authentication methods that employees should prefer when using data systems.
When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.
Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.
For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).
Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.
The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.
Multi-factor authentication (MFA) helps protect devices and data. To apply it, users must have more information in the identity management system than just an email address - for example, a phone number or an attached authenticator application (e.g. Microsoft, Google, or LastPass Authenticator).
The system or application login procedure should be designed to minimize the potential for unauthorized access.
The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
