User Account Responsibilities
I have a query in the “IT Security Policy” document.
3.6. User Account Responsibilities
The user must not, directly or indirectly, allow another person to use his/her access rights, i.e. username, and must not use another person’s username and/or password. The use of group usernames is forbidden.
Query: As per the clause ‘A.9.3.1’ the individual users shall have and secret authentication information. We are manufacturing firm and use shared assets.
1. How do we comply to this clause?
2. Is it necessary to have written on this clause in the policy?
Assign topic to the user
1. How do we comply to this clause?
The first option is to implement individual IDs for each employee who uses each asset, this way each employee will have a unique username and password.
For assets where this option is not possible, e.g., because the asset does not support user-id management, you should document the situation as an exception, bases on business or operational needs, identifying who has authorization for these specific shared accesses, and consider the implementation of a compensation control, like video monitoring, so you can have visual evidence of who is accessing the assets at specific times.
The individual IDs and exception handling is part of the control A.9.2.1 (User registration and de-registration), and the use of video monitoring is one way to implement control A.12.4.1 (Event logging)
2. Is it necessary to have written on this clause in the policy?
For control A.9.3.1 Use of secret authentication information, ISO 27001 only requires evidence of its application, e.i., that employees are aware of the required practices, which can be done through records of attendance on training sessions abut this issue or the signing of acceptance of the IT Security Policy by the employee.
These articles will provide you a further explanation about awareness:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
This material will also help you regarding awareness:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.
@Rhand Leal, thanks for the clarification, just being more specific.
Our teams share computers within departments in managing their everyday tasks. This case the team shares credentials between members of the team and not with other team members. However, all the shared assets (including computers) are monitored under video surveillance.
Is it still the case for use of computers (shared) can be listed under exclusions?
This case still must be listed as an exception, even if the credentials are not shared with other team members, because the control requires unique credentials for each employee who access the device (in this case a computer).
Comment as guest or Sign in
May 26, 2020