Personnel guidelines for safe data system and authentication info usage

Critical
High
Normal
Low

The organization should have defined guidelines for the generally acceptable use of data systems and for the management of the necessary credentials.

In addition, the owners of data systems classified as 'High' or 'Critical' priority can define, document, and implement more specific guidelines for the use of that particular data system. These guidelines can describe e.g. security requirements related to the data contained in the system.

Connected other frameworks and requirements:
32. Security of processing
GDPR
29. Processing under the authority of the controller or processor
GDPR
8.1.3: Acceptable use of assets
ISO 27001
12.1.1: Documented operating procedures
ISO 27001
9.1.1: Access control policy
ISO 27001

Defining and documenting accepted authentication methods

Critical
High
Normal
Low

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.1.1: Access control policy
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF

Use of multi-factor authentication for important data systems

Critical
High
Normal
Low

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.4.2: Secure log-on procedures
ISO 27001
9.1.1: Access control policy
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
8.5: Secure authentication
ISO 27001

Defining and documenting access roles

Critical
High
Normal
Low

The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.

The following should be considered to support access management:

  • how much information each user needs access to
  • how widely the user should be able to edit data (read, write, delete, print, execute)
  • whether other applications have access to the data
  • whether the data can be segregated within the property so that sensitive data is less exposed
Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
25. Data protection by design and by default
GDPR
5. Principles relating to processing of personal data
GDPR
9.1.1: Access control policy
ISO 27001
9.2.2: User access provisioning
ISO 27001

Using multi-factor authentication for admins

Critical
High
Normal
Low

Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.

For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).

Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.

Connected other frameworks and requirements:
9.1.1: Access control policy
ISO 27001
9.2.3: Management of privileged access rights
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF
8.2: Privileged access rights
ISO 27001

Need to know -principle in access management

Critical
High
Normal
Low

The need-to-know principle grants access only to information that an individual needs to perform his or her task. Different tasks and roles have different information needs and thus different access profiles.

Separation of tasks means that conflicting tasks and responsibilities must be separated in order to reduce the risk of unauthorized or unintentional modification or misuse of the organisation's protected assets.

Connected other frameworks and requirements:
I06: Pääsyoikeuksien hallinnointi
9.1.1: Access control policy
ISO 27001
PR.AC-4: Access permissions and authorizations
NIST CSF
5.15: Access control
ISO 27001

Implementing formal access control processes

Critical
High
Normal
Low

To ensure that authorized users have access to data systems and to prevent unauthorized access, the organization has defined formal processes for:

  • User registration and deletion
  • Allocation of access rights
  • Reassessment of access rights
  • Deleting or changing access rights

The implementation of these things must always take place through a defined, formal process.

Connected other frameworks and requirements:
9.1.1: Access control policy
ISO 27001
5.15: Access control
ISO 27001
No items found.