S 2.65 Checking the efficiency of user separation on an IT system
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Auditor, Administrator, IT Security Officer
Evaluations of the log files or spot checks must be conducted at appropriate intervals to check if the users of the IT systems regularly log off after performing their tasks and if there are any user names used by more than one user.
If it is determined that several users actually do work using the same user name, then they must be informed of their duty to log off after performing their tasks. At the same time, the reasons for this safeguard must be explained to the users since it is in the best interest of the users to follow this safeguard.
If it turns out that the login and logout procedures take too much time and the safeguard is not accepted by the users because of this even though they have been instructed to do so, then alternative safeguards such as the following should be discussed, for example:
- The IT system can be allocated to one user for a certain period of time so that no other users are allowed to use the IT system during this time. This assumes that the work process can be scheduled flexibly.
- Additional IT systems can be purchased to avoid having several users work in parallel on a single IT system. It must be noted that although purchasing costs will be incurred for the additional IT systems, the purchasing costs for PC security products can be eliminated.
- If the data resources used by each user can be divided up (for example user A edits the data A-L, user B the data M-Z), then different access rights can be granted for the data. In this case, a user wanting to work on his/her data will need to log in to the system beforehand because his/her co-workers do not have the access rights needed for this data.
Review questions:
- Is it checked at regular intervals if all users carry out their work only using their own user name?
- If there are acceptance problems with regard to the user logging in and out properly: Are alternative measures investigated?