Operating system access control Security Audit Checklist
Operating system access control Security Audit Checklist
Clause 11.5 ISO 17025
1. Secure log-on procedures
• Whether access to operating system is controlled by secure log-on procedure.
2. User Identification and authentication
• Whether unique identifier (user ID) is provided to every user such as operators, system administrators and all other staff including technical.
• Whether suitable authentication technique is chosen to substantiate the claimed identity of user.
• Whether generic user accounts are supplied only under exceptional circumstances where there is a clear business benefit. Additional controls may be necessary to maintain accountability.
3. Password Management system
• Whether there exists a password management system that enforces various password controls such as: individual password for accountability, enforce password changes, store passwords in encrypted form, not display passwords on screen etc.
4. Use of system utilities
• Whether the utility programs that might be capable of overriding system and application controls is restricted and tightly controlled.
5. Session time-out
• Whether inactive session is shutdown after a defined period of inactivity.
• A limited form of timeouts can be provided for some systems, which clears the screen and prevents unauthorized access but does not close down the application or network sessions.
6. Limitation of connection time
• Whether there exists restriction on connection time for high-risk applications.
• This type of set up should be considered for sensitive applications for which the terminals are installed in high-risk locations.
Related documents
Advertisement
Sponsor sites:
1. Phrases For Performance Appraisals.
2. Interview questions and answers.
This entry was posted
on Wednesday, November 25th, 2009 at 3:17 am and is filed under ISO 27001 checklist.
You can leave a response, or trackback from your own site.
