Objective: Access to information and IT systems is provided via validated user accounts assigned to a person. It is important to protect login information and to ensure the traceability of transactions and accesses.
Requirements (must): The creating, changing, and deleting of user accounts is conducted.
Unique and personalized user accounts are used.
The use of “collective accounts” is regulated (e.g. restricted to cases where traceability of actions is dispensable).
User accounts are disabled immediately after the user has resigned from or left the organization (e.g. upon termination of the employment contract).
User accounts are regularly reviewed.
The login information is provided to the user in a secure manner.
A policy for the handling of login information is defined and implemented. The following aspects are considered:
- No disclosure of login information to third parties
- not even to persons of authority
- under observation of legal parameters
- No writing down or unencrypted storing of login information
- Immediate changing of login information whenever potential compromising is suspected
- No use of identical login information for business and non-business purposes
- Changing of temporary or initial login information following the 1st login
- Requirements for the quality of authentication information (e.g. length of password, types of characters to be used).
The login information (e.g. passwords) of a personalized user account must be known to the assigned user only.
Requirements (should): A basic user account with minimum access rights and functionalities is existent and used.
Default accounts and passwords pre-configured by manufacturers are disabled (e.g. by blocking or changing of password).
User accounts are created or authorized by the responsible body.
Creating user accounts is subject to an approval process (four-eyes principle).
User accounts of service providers are disabled upon completion of their task.
Deadlines for disabling and deleting user accounts are defined.
The use of default passwords is technically prevented.
Where strong authentication is applied, the use of the medium (e.g. ownership factor) is secure.
User accounts are reviewed at regular intervals. This also includes user accounts in customers' IT systems.
Interactive login for service accounts (technical accounts) is technically prevented.
Data system owner determines the access roles to the system in relation to the tasks of users. The compliance of the actual access rights with the planned ones must be monitored and the rights reassessed at regular intervals.
When reviewing access rights, care must also be taken to minimize admin rights and eliminate unnecessary accounts.
Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:
The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.
In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.
Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.
If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.
The organization verifies the identity of users and associates them with user information. These should also be confirmed before any interaction.
Identity verification must be performed according to pre-written and approved rules.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
