Content library
TISAX: Information security
4.1.2: Security of authentication

How to fill the requirement

TISAX: Information security

4.1.2: Security of authentication

Task name
Priority
Status
Theme
Policy
Other requirements
Defining and documenting accepted authentication methods
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
30
requirements

Task is fulfilling also these other security requirements

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
9.1.1: Access control policy
ISO27 Full
9.2.4: Management of secret authentication information of users
ISO27 Full
9.4.2: Secure log-on procedures
ISO27 Full
6.6.2: Käyttövaltuushallinta ja tunnistautuminen järjestelmiin
Self-monitoring
1. Task description

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Use of multi-factor authentication for important data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
23
requirements

Task is fulfilling also these other security requirements

I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Katakri
9.4.2: Secure log-on procedures
ISO27 Full
9.1.1: Access control policy
ISO27 Full
PR.AC-7: User, device, and other asset authentication
NIST
TEK-08: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
Julkri
1. Task description

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Defining and documenting access roles
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
41
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
25. Data protection by design and by default
GDPR
5. Principles relating to processing of personal data
GDPR
9.1.1: Access control policy
ISO27 Full
9.2.2: User access provisioning
ISO27 Full
1. Task description

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

  • how much information each user needs access to
  • how widely the user should be able to edit data (read, write, delete, print, execute)
  • whether other applications have access to the data
  • whether the data can be segregated within the property so that sensitive data is less exposed
Using multi-factor authentication for admins
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
13
requirements

Task is fulfilling also these other security requirements

9.2.3: Management of privileged access rights
ISO27 Full
9.1.1: Access control policy
ISO27 Full
UAC-04: Two factor authentication
Cyber Essentials
PR.AC-7: User, device, and other asset authentication
NIST
TEK-04.1: Hallintayhteydet - vahva tunnistaminen julkisessa verkossa
Julkri
1. Task description

Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.

For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).

Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.

Need to know -principle in access management
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
17
requirements

Task is fulfilling also these other security requirements

I06: Pääsyoikeuksien hallinnointi
Katakri
9.1.1: Access control policy
ISO27 Full
PR.AC-4: Access permissions and authorizations
NIST
HAL-02.1: Tehtävät ja vastuut - tehtävien eriyttäminen
Julkri
HAL-14: Käyttö- ja käsittelyoikeudet
Julkri
1. Task description

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.

Implementing formal access control processes
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
11
requirements

Task is fulfilling also these other security requirements

9.1.1: Access control policy
ISO27 Full
5.15: Access control
ISO27k1 Full
21.2.i (access): Access control
NIS2
6.7: Käyttövaltuuksien hallinnan ja tunnistautumisen käytännöt
Tietoturvasuunnitelma
4.1.2: Security of authentication
TISAX
1. Task description

To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:

  • User registration and deletion
  • Allocation of access rights
  • Reassessment of access rights
  • Deleting or changing access rights

The implementation of these things must always take place through a defined, formal process.

No items found.