Content library
CyberFundamentals (Belgium)
PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.

How to fill the requirement

CyberFundamentals (Belgium)

PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.

Task name
Priority
Status
Theme
Policy
Other requirements
Personnel guidelines for safe data system and authentication info usage
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Data system management
requirements

Task is fulfilling also these other security requirements

32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
9.1.1: Access control policy
ISO27 Full
1. Task description

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Defining and documenting accepted authentication methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
9.1.1: Access control policy
ISO27 Full
9.2.4: Management of secret authentication information of users
ISO27 Full
9.4.2: Secure log-on procedures
ISO27 Full
6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Self-monitoring
1. Task description

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Use of multi-factor authentication for important data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
9.4.2: Secure log-on procedures
ISO27 Full
9.1.1: Access control policy
ISO27 Full
PR.AC-7: User, device, and other asset authentication
NIST
TEK-08: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
1. Task description

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Authentication of identities and binding to user data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

PR.AC-6: Proof of identity
NIST
ACCESS-1: Establish Identities and Manage Authentication
C2M2: MIL1
4.1.3: Management of users in data systems
TISAX
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.
CyFun
PR.AC-7: Identities are proofed, bound to credentials and asserted in interactions.
CyFun
1. Task description

The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.

Identity verification must be performed according to pre-written and approved rules.

Enabling multi-factor authentication for all users
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

9.3.1: Use of secret authentication information
ISO27 Full
9.3: User responsibilities
ISO27 Full
UAC-04: Two factor authentication
Cyber Essentials
PR.AC-7: User, device, and other asset authentication
NIST
44: Monivaiheinen tunnistus etäkäytössä
Sec overview
1. Task description

Multi-factor authentication (MFA) helps protect devices and data. To apply it, users must have more information in the identity management system than just an email address - for example, a phone number or an attached authenticator application (e.g. Microsoft, Google, or LastPass Authenticator).

Analyzing authentication processes of critical systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

9.4.2: Secure log-on procedures
ISO27 Full
9.4: System and application access control
ISO 27017
9.4.2: Secure log-on procedures
ISO 27017
9.4.2: Secure log-on procedures
ISO 27018
9.4.4: Use of privileged utility programs
ISO 27017
1. Task description

The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

  • logging in does not reveal the associated application until the connection is established
  • the login does not display help or error messages that would assist an unauthorized user
  • logging in will only validate the data once all the data has been entered
  • login is prevented from using fatigue attacks
  • login logs failed and successful login attempts
  • suspicious login attempts are reported to the user
  • passwords are not sent as plain text online
  • the session does not continue forever after logging in
No items found.