S 4.15 Secure log-in

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

A login program has to be used and/or options have to be enabled so that the following safeguards can be implemented:

• Every user has to be assigned an individual ID and password. Access without ID and password must not be possible. Instead of a password, user authentication can also be carried out using electronic signatures, pass tickets or similar.
• The number of failed login attempts is limited. The waiting time for the next login prompt increases with every failed login attempt. After a defined number of failed login attempts the respective user ID and/or the terminal is locked. Note that the administrator must not be locked out. There must always be administrator access to the console.
• The user is informed about the time of the latest successful login when logging in.
• Failed login attempts are reported to the user when logging in. This message may have to be repeated with several subsequent logins.
• The user is informed about the time of the last log-out when logging in. Here, log-outs from interactive logins and non-interactive log-outs (log-outs of background processes) are distinguished between.
• For login via networks where passwords are transmitted in unencrypted form, it is recommended to use one-time passwords in addition (see S 5.34 Use of one-time passwords).

For specific instructions on the protection of the login process using z/OS, see safeguard S 4.213 Protecting the login process under z/OS.

Review questions:

• Are there regulations to secure the access to IT systems?
• Are all required safeguards which secure access to IT systems implemented?