Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Personnel guidelines for safe data system and authentication info usage

Critical
High
Normal
Low

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
9.1.1: Access control policy
ISO 27001

Use and evaluation of password management system

Critical
High
Normal
Low

The password management system allows the user in a registration situation to decide how complex a password is to be set this time and to remember it on behalf of the user.

When using the password management system, e.g. the following principles:

  • the system will force the use of unique passwords in the future
  • the system warns the user to change old recurring passwords
  • the system forces you to choose passwords that are complex enough, of high quality
  • the system forces the user to change the temporary password the first time they log on
  • the system forces you to change the password that may have been compromised in the data leak
  • the system prevents the same passwords from being reused
  • the system keeps password files separate from other data and strongly encrypted
Connected other frameworks and requirements:
9.3.1: Use of secret authentication information
ISO 27001
9.4.3: Password management system
ISO 27001
9.3: User responsibilities
ISO 27001
5.17: Authentication information
ISO 27001

Defining and documenting accepted authentication methods

Critical
High
Normal
Low

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.1.1: Access control policy
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF

Managing shared user credential through password management system

Critical
High
Normal
Low

One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.

In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.

Connected other frameworks and requirements:
9.4.3: Password management system
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001

Credentials are not transmitted via email

Critical
High
Normal
Low

Credentials should be securely transmitted to users. delivery of a password or through unprotected external party (plaintext) e-mail message should be avoided.

Connected other frameworks and requirements:
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001

Secure setting and distribution of temporary login information

Critical
High
Normal
Low

Temporary credentials should be unique and should not be quessable, for example, by inferring from user data.

Connected other frameworks and requirements:
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001
No items found.