Back to T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
This control should be applied for all types of users (including technical support personnel, operators, network administrators, system programmers, and database administrators). User IDs should be used to trace activities to the responsible individual. Regular user activities should not be performed from privileged accounts.
In exceptional circumstances, where there is a clear business benefit, the use of a shared user ID for a group of users or a specific job can be used. Approval by management should be documented for such cases. Additional controls may be required to maintain accountability.
Generic IDs for use by an individual should only be allowed either where the functions accessible or actions carried out by the ID do not need to be traced (e.g. read only access), or where there are other controls in place (e.g. password for a generic ID only issued to one staff at a time and logging such instance).
Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as cryptographic means, smart cards, tokens or biometric means, should be used.
Back to T5.5.2 - P1 - USER IDENTIFICATION AND AUTHENTICATION
