ISO 27001 Annex: A.9.4 System and Application Access Control

This program is aimed at preventing unauthorized access to systems and applications.

A.9.4.1 Information Access Restriction

Control– Clearly defining access controls to information and application systems should be part of the access control policy.

Implementation Guidance – Access controls should be tailored to the needs of each application while complying with an agreed-upon access control policy.

The following factors should be considered when determining access restriction criteria:

1. Provide menus that control the access to the application systems’ functions;
2. Choosing which data a certain user has access to;
3. Control the rights of users, such as reading, writing, deleting, and executing;
4. Control over how access to other applications is granted;
5. Limit the information that appears in the output;
6. Controls for unauthorised access to sensitive data, applications, or systems.

A.9.4.2 Secure Log-on Procedures

Control– Following the Access Control Policy, systems and applications should be accessed through a secure log-on procedure.

Implementation Guidance– If you wish to verify a user’s claimed identity, you need to employ an effective authentication technique. In places where identity and authentication are required, cryptographic options, smart cards, or biometrics can be used instead of passwords.

Authentication procedures for systems and applications should be configured to be less risky. To avoid giving unnecessary assistance to an unauthorized person, the login process should only reveal a minimum amount of information about the system or application.

This procedure provides a secure way to log on:

1. Don’t display system or application identifications until you’ve successfully logged in;
2. Display an alert that the computer should be accessible only to approved users;
3. Do not offer support messages that could benefit an unauthorized user during the login process;
4. Only validate login information after completing all input data. The system should not indicate which part of the data is correct or simply incorrect when an error occurs;
5. Prevent brute force login attempts;
6. Note the attempts that were successful and unsuccessful;
7. Raising a security event whenever suspected log-on control violations or active infringements are detected;
8. When a successful login is completed, display the following information:
– Last successful login date and time;
– A list of any failed attempts to log in since the last successful attempt;
9. Don’t display passwords when they are entered;
10. The stoppage of inactive sessions should be implemented in high-risk locations and on mobile devices, including public or external areas that do not have access to security management within the organization.
11. Reduce the opportunity window for unauthorized access by restricting connection times for high-risk applications.

Other Information– Passwords are a simple method of identifying and authenticating a user, as they contain a secret only known to the user. The same can also be accomplished through cryptographic means and authentication protocols. Information accessed should be classified appropriately regarding the strength of authentication.

A network “sniffer” can be used to capture passwords that are sent over the network in cleartext.

A.9.4.3 Password Management System

Control– Password management systems should work cooperatively to maintain password integrity.

Implementation Guidance–

A password management system should consider the following points:

1. Require the use of user IDs and passwords for accountability;
2. Allow users to choose and update their passwords, as well as provide a way for input errors to be detected;
3. Require a quality password selection;
4. Require users to update their passwords upon logging in;
5. Maintain your password regularly and, if necessary, change it;
6. Avoid reusing passwords that you have already used;
7. Enter the passwords without displaying them on the screen;
8. Store password files independently of application data;
9. Secure storage and transmission of passwords.

Other Information– A password may be granted to system users by an independent authority. These guidelines do not apply to points 2, 4, and 5 in these circumstances. In most cases, users are responsible for selecting and maintaining their passwords.

Related Questions

1. How does ISO 27001 Annex: A.9.4 System and Application Access Control work?
2. What does A.9.4.2 Secure Log-on Procedures mean?
5. What exactly is A.9.4.3 Password Management System?
4. What are the components of A.9.4 System and Application Access Control?
5. Which control applies to ISO 27001 Annex: A.9.4 System and Application Access Control?