Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

User Account Responsibilities

  Quote
Guest
Guest user Created:   May 20, 2020 Last commented:   May 26, 2020

User Account Responsibilities

I have a query in the “IT Security Policy” document.

3.6. User Account Responsibilities

The user must not, directly or indirectly, allow another person to use his/her access rights, i.e. username, and must not use another person’s username and/or password.  The use of group usernames is forbidden.

Query: As per the clause ‘A.9.3.1’ the individual users shall have and secret authentication information. We are manufacturing firm and use shared assets.

1. How do we comply to this clause?

2. Is it necessary to have written on this clause in the policy?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 20, 2020

1. How do we comply to this clause?

The first option is to implement individual IDs for each employee who uses each asset, this way each employee will have a unique username and password.

For assets where this option is not possible, e.g., because the asset does not support user-id management, you should document the situation as an exception, bases on business or operational needs, identifying who has authorization for these specific shared accesses, and consider the implementation of a compensation control, like video monitoring, so you can have visual evidence of who is accessing the assets at specific times.

The individual IDs and exception handling is part of the control A.9.2.1 (User registration and de-registration), and the use of video monitoring is one way to implement control A.12.4.1 (Event logging)

2. Is it necessary to have written on this clause in the policy?

For control A.9.3.1 Use of secret authentication information, ISO 27001 only requires evidence of its application, e.i., that employees are aware of the required practices, which can be done through records of attendance on training sessions abut this issue or the signing of acceptance of the IT Security Policy by the employee.

These articles will provide you a further explanation about awareness:

This material will also help you regarding awareness:

Quote
0 1
Guest
Lee Guggilla May 26, 2020

 @Rhand Leal, thanks for the clarification, just being more specific.

Our teams share computers within departments in managing their everyday tasks. This case the team shares credentials between members of the team and not with other team members. However, all the shared assets (including computers) are monitored under video surveillance.

Is it still the case for use of computers (shared) can be listed under exclusions?

Quote
0 0
Expert
Rhand Leal May 26, 2020

This case still must be listed as an exception, even if the credentials are not shared with other team members, because the control requires unique credentials for each employee who access the device (in this case a computer).

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

May 20, 2020

May 26, 2020