T5.5.1 SECURE LOGON PROCEDURES Implementation guidance
The entity shall control access to systems and applications using a secure log-on and log-off procedure.
Back to T5.5.1 - P1 - SECURE LOG-ON PROCEDURES
Even though most applications have secure log-on implemented, a suitable authentication technique should be chosen to substantiate the claimed identity of a user. Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, should be used.
The procedure for logging into a system or application should be designed to minimize the opportunity for unauthorized access. The log-on procedure should therefore disclose the minimum of information about the system or application, in order to avoid providing an unauthorized user with any unnecessary assistance. A good log-on procedure should:
- A. Not display system or application identifiers until the log-on process has been successfully completed
- B. Display a general notice warning that the computer should only be accessed by authorized users
- C. Not provide help messages during the log-on procedure that would aid an unauthorized user
- D. Validate the log-on information only on completion of all input data. If an error condition arises, the system should not indicate which part of the data is correct or incorrect
- E. Protect against brute force log-on attempts
- F. Log unsuccessful and successful attempts
- G. Raise a security event if a potential attempted or successful breach of logon controls is detected;
- H. Display the following information on completion of a successful log-on
1- Date and time of the previous successful log-on
2- Details of any unsuccessful log-on attempts since the last successful log-on
- I. Not display a password being entered
- J. Not transmit passwords in clear text over a network
- K. Terminate inactive sessions after a defined period of inactivity, especially in high risk locations such as public or external areas outside the entity’s security management or on mobile devices
- L. Restrict connection times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorized access
