S 2.65 Checking the efficiency of User separation on an IT System

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Auditor, Administrator, IT Security Management

By means of report assessment or random testing, it should be checked at appropriate intervals whether the users of the IT system log-off regularly after finishing their task or whether several users work under one ID.

Should it be found that several users work under one ID, then they should be made aware of the duty of logging off after a task is finished. At the same time, it should be pointed out that this is in the interest of the user.

Should it also be determined that the log-on and log-off processes take too much time and are not accepted despite a request to do so, alternative measures should be discussed, such as:

• Allocation of the IT system to a user for certain time periods when other users may not use the IT system. This requires the work process to be flexible from the point of view of time.

• Procurement of additional IT systems, with which quasi-parallel work on one IT system can be avoided. It should be noted that whilst this involves additional costs, the procurement costs for PC security products are no longer required. Instead of the module 5.4 DOS PC (multi-user), the implementation of recommended safeguards of another module e.g. 5.1 DOS PC (one user) becomes necessary.

• Should it be possible to separate the data of the various users (e.g. user A processes the data A-L, user B the data M-Z), various authorisations can be granted. When a user wants to work with his data, therefore, he must first log-on to the system as his colleague does not have access to these data.

Additional controls:

• How frequently are logins and logouts checked?

• Is there an acceptance problem regarding login/logoff?

• Can the data be separated?