Defining and documenting accepted authentication methods

Critical
High
Normal
Low

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.1.1: Access control policy
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF

Use of multi-factor authentication for important data systems

Critical
High
Normal
Low

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.4.2: Secure log-on procedures
ISO 27001
9.1.1: Access control policy
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
8.5: Secure authentication
ISO 27001

Encryption of user password information

Critical
High
Normal
Low

We use strong encryption during password transmission and storage in all services we develop.

Connected other frameworks and requirements:
9.4.2: Secure log-on procedures
ISO 27001
10.1.1: Policy on the use of cryptographic controls
ISO 27001
14.1.3: Protecting application services transactions
ISO 27001
14.2.5: Secure system engineering principles
ISO 27001
8.5: Secure authentication
ISO 27001

Analyzing authentication processes of critical systems

Critical
High
Normal
Low

The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

  • logging in does not reveal the associated application until the connection is established
  • the login does not display help or error messages that would assist an unauthorized user
  • logging in will only validate the data once all the data has been entered
  • login is prevented from using fatigue attacks
  • login logs failed and successful login attempts
  • suspicious login attempts are reported to the user
  • passwords are not sent as plain text online
  • the session does not continue forever after logging in
Connected other frameworks and requirements:
9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
9.4: System and application access management
ISO 27017
9.4.2: Secure log-on procedures
ISO 27017
9.4.4: Use of privileged utility programs
ISO 27017
No items found.