fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.17 Authentication Information would include:

  1. Authentication Methods: Documentation of the various authentication methods used within the organization, such as passwords, biometrics, smart cards, tokens, or multi-factor authentication (MFA).

  2. Password Policies: Proof of documented password policies, including complexity requirements, minimum length, expiration intervals, and rules for creating strong passwords.

  3. Biometric Authentication: If biometric authentication is used, evidence of the technology and procedures in place to securely capture, store, and verify biometric data.

  4. Tokens and Smart Cards: Documentation of token or smart card issuance processes, including how they are distributed, activated, and deactivated.

  5. Multi-Factor Authentication (MFA): Information about MFA implementation, including the specific factors used (e.g., something the user knows, has, or is), and how MFA is enforced for different systems.

  6. Single Sign-On (SSO): Documentation of SSO solutions and how they streamline the authentication process for users while ensuring security.

  7. Authentication Management System: Proof of a centralized system or tool used to manage and monitor authentication methods, user accounts, and access rights.

  8. Authentication Tokens and Secrets: Records of issued authentication tokens, secrets, or credentials, and how they are securely stored and managed.

  9. Access Control Policies: Documentation of how authentication information is used to grant or deny access to specific resources based on user roles and permissions.

  10. Monitoring and Logging: Evidence of monitoring and logging mechanisms that track authentication activities, failed login attempts, and successful logins, along with timestamps and user details.

  11. Security Awareness Training: Records of training provided to users regarding the importance of protecting their authentication information and using secure authentication practices.

  12. Compliance Audits: Documentation of audits or assessments conducted to verify that authentication practices align with regulatory requirements and industry standards.

  13. Incident Response Plans: Documentation of plans outlining how the organization responds to unauthorized access attempts, compromised authentication information, or authentication-related incidents.

  14. User Behavior Analytics: If used, information about tools or systems that analyze user behavior to detect abnormal or unauthorized access patterns.

  15. Vendor and Supplier Authentication: If applicable, evidence of how authentication practices are extended to external vendors or suppliers who access organizational systems.

By reviewing these pieces of evidence, an auditor can assess whether the organization has established secure and appropriate authentication methods, policies, and controls to ensure the proper verification of users' identities and protect sensitive information and resources from unauthorized access.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.16 Identity Management would include:

  1. Identity and User Lifecycle Management Policies: Documented policies that outline how identities are managed throughout their lifecycle, from creation to deletion, including procedures for onboarding, changes, and offboarding.

  2. User Identity Records: Records of user identities, including unique identifiers, roles, responsibilities, and associated access rights.

  3. Authentication Methods: Documentation of various authentication methods used to verify user identities, such as passwords, biometrics, smart cards, or two-factor authentication.

  4. Identity Verification Processes: Procedures detailing how new user identities are verified and authenticated before being granted access to information assets.

  5. User Provisioning and De-provisioning: Documentation of processes for provisioning access rights to new users and removing access rights promptly when users no longer require them.

  6. Role-Based Access Control: Evidence of role definitions and their associated access rights, ensuring that users' access is based on their job responsibilities.

  7. Identity Governance: Documentation of the governance structure in place to oversee identity management processes and ensure compliance with policies.

  8. Single Sign-On (SSO) Solutions: Information about SSO solutions in use, including how they are implemented and managed to enhance user convenience and security.

  9. Password Policies: Documentation of password complexity requirements, expiration intervals, and guidelines for secure password management.

  10. User Self-Service Tools: Proof of user self-service tools or portals that allow users to manage their own identities, passwords, and access settings.

  11. Audit Trails: Records of identity-related activities, such as user creations, modifications, and deletions, along with timestamps and responsible parties.

  12. Identity Federation: Evidence of systems or protocols in place to enable secure identity sharing and authentication across different systems or organizations.

  13. Privacy Considerations: Documentation of procedures and safeguards in place to protect user privacy and comply with data protection regulations.

  14. Training and Awareness: Records of training provided to users and administrators about identity management practices, including the importance of safeguarding their identities and access credentials.

  15. Compliance Audits: Documentation of audits or assessments conducted to ensure that identity management practices align with regulatory requirements and industry standards.

By reviewing these pieces of evidence, an auditor can assess whether the organization has effective identity management processes and controls in place to ensure the accurate identification and authentication of users, reducing the risk of unauthorized access and identity-related breaches.

 

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.5.15 Access Control would include:

  1. Access Control Policies: Documented policies that outline the organization's approach to managing access to its information assets. These policies should cover user access, authorization, authentication, and segregation of duties.

  2. Access Control Framework: Proof of an established framework that classifies users into different access levels based on their roles and responsibilities within the organization.

  3. User Access List: Records of authorized users with their designated access levels, roles, and the specific information assets they are allowed to access.

  4. Authentication Mechanisms: Documentation of authentication methods used, such as passwords, two-factor authentication, biometrics, or other forms of identity verification.

  5. Authorization Procedures: Procedures outlining how users' access rights are assigned or modified based on their job roles, responsibilities, and changes in their employment status.

  6. Access Reviews: Evidence of regular access reviews conducted to ensure that users have appropriate access and that any unnecessary or outdated permissions are promptly revoked.

  7. Segregation of Duties: Documentation showing how the organization enforces separation of duties, ensuring that no single user has excessive access rights that could lead to fraud or misuse.

  8. Access Logging: Records of access activities, including successful and failed login attempts, changes to access permissions, and any unauthorized access attempts.

  9. Monitoring Tools: Information about tools or systems in place to monitor user access and detect unusual or suspicious activities.

  10. User Training: Documentation of training provided to users about access control policies, the importance of safeguarding access credentials, and the proper use of their access privileges.

  11. Incident Response: Documentation of procedures for responding to incidents related to unauthorized access or breaches of access controls.

  12. Third-Party Access: Evidence of controls in place for managing access granted to third-party vendors, contractors, or partners.

  13. Access Termination: Documentation of procedures for promptly revoking access when an employee's job role changes, they leave the organization, or their access rights are no longer needed.

  14. Compliance Checks: Records of audits or assessments performed to ensure that access control policies and practices are in line with regulatory requirements and best practices.

By reviewing these pieces of evidence, an auditor can assess whether the organization has effective access control measures in place to ensure that only authorized individuals have appropriate access to its information assets, reducing the risk of unauthorized disclosure, modification, or misuse.

 

USER GUIDES

Image
SIMPLIFYING IMPLEMENTATION OF ISO STANDARDS, providing specialized guidance through reliable Expert Knowledge and Software to help you obtain and maintain your ISO certification.

More Links

FEATURED STANDARDS

ISO 27001 - Information Security

ISO 20000 - IT Service Management

ISO 22301 - Business Continuity

ISO 9001 - Quality Management

ISO 45001 - Health & Safety

ISO Compliance Software
Integrate . Mantain . Comply

Search