4.1.3—4.1.3
>Control Description
+ The creating, changing, and deleting of user accounts is conducted.
+ Unique and personalized user accounts are used.
+ The use of “collective accounts” is regulated (e.g. restricted to cases where traceability of actions is dispensable).
+ User accounts are disabled immediately after the user has resigned from or left the organization (e.g. upon termination of the employment contract).
+ User accounts are regularly reviewed.
+ The login information is provided to the user in a secure manner.
+ A policy for the handling of login information is defined and implemented. The following aspects are considered:
- No disclosure of login information to third parties
- not even to persons of authority
- under observation of legal parameters
- No writing down or unencrypted storing of login information
- Immediate changing of login information whenever potential compromising is suspected
- No use of identical login information for business and non-business purposes
- Changing of temporary or initial login information following the 1st login - Requirements for the quality of authentication information (e.g. length of password, types of characters to be used).
+ The login information (e.g. passwords) of a personalized user account must be known to the assigned user only.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.