S 4.1 Password protection for IT systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

The password protection of an IT system is to ensure that only those users who can prove their corresponding authorisation can access the data and IT applications. Immediately after switching on the IT system, the authorisation must be proven. If the user cannot prove the required authorisation, the password protection prevents this user from accessing the IT system.

The password protection on an IT system can be realised in various ways:

• Most of the BIOS versions offer the installation of a boot password. If an incorrect password has been entered, the boot procedure is stopped. It is not difficult to overcome a BIOS password, but it provides protection against random perpetrators. It should be used at least in all cases where there are no better access protection mechanisms available (see also: S 4.84 Use of BIOS security mechanisms).
• Good operating systems already contain access protection mechanisms. In most cases, they still need to be activated, for example, by assigning passwords to all users. Further information in this respect can be found in the modules specific to the operating systems.
• Additional hardware or software is installed to query a password before the computer is actually started and prevent the IT system from being used when an incorrect password has been entered.

With regard to handling passwords, the information provided in S 2.11 Provisions governing the use of passwords must be observed, especially changing the password at regular intervals.

Review questions:

• Is it ensured that only authorised persons can access applications and IT systems?