Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Defining and documenting accepted authentication methods

Critical
High
Normal
Low

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
9.1.1: Access control policy
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
9.4.2: Secure log-on procedures
ISO 27001
PR.AC-7: User, devide and other asset authentication
NIST CSF

Avoiding and documenting shared user accounts

Critical
High
Normal
Low

Shared accounts should only be allowed if they are necessary for business or operational reasons and should be separately approved and documented.

If shared accounts are used for admin purposes, passwords must be changed as soon as possible after any user with admin rights leaves their job.

Connected other frameworks and requirements:
I07: Tietojenkäsittely-ympäristön toimijoiden tunnistaminen
32. Security of processing
GDPR
9.2.4: Management of secret authentication information of users
ISO 27001
5.16: Identity management
ISO 27001
4.1 (MIL1): Establish Identities and Manage Authentication
C2M2

Managing shared user credential through password management system

Critical
High
Normal
Low

One way to manage the risks associated with shared usernames is to manage the shared password and its users directly through a password management system.

In this case, it is possible to act in such a way that, for example, only an individual person actually knows the password and the persons who use it.

Connected other frameworks and requirements:
9.4.3: Password management system
ISO 27001
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001

Credentials are not transmitted via email

Critical
High
Normal
Low

Credentials should be securely transmitted to users. delivery of a password or through unprotected external party (plaintext) e-mail message should be avoided.

Connected other frameworks and requirements:
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001

Secure setting and distribution of temporary login information

Critical
High
Normal
Low

Temporary credentials should be unique and should not be quessable, for example, by inferring from user data.

Connected other frameworks and requirements:
9.2.4: Management of secret authentication information of users
ISO 27001
5.17: Authentication information
ISO 27001
No items found.