S 4.1 Password protection for IT systems

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT-user

Password protection for an IT system is to ensure that only those users who establish proof of their authorisation will be granted access to data and programs. Immediately upon switching on the IT system, the required proof must be furnished. If the user is unable to do so, password protection will deny access to the IT system.

Password protection in an IT system can be achieved in various ways:

• Most BIOS variants offer installation of a boot password. If incorrect entries are made, booting will not be continued. A BIOS password is not difficult to overcome, although it does protect against coincidental culprits. It should therefore be implemented wherever better access safeguards are not available (see: S 4.84 Using BIOS security mechanisms).
• Good operating systems already contain access safeguards. However, in most cases, these must first be activated, for example by providing passwords for all users. Additional relevant information can be found in the operating-system specific modules.
• Additional hardware or software will be installed, which will, before the actual start of a computer, ask for a password and, if an incorrect password is entered, will inhibit any further use of the IT system.

As regards handling of passwords, the notes in S 2.11 Provisions governing the use of passwords must be observed; in particular, the password will have to be altered regularly.

Additional controls:

• Has password protection been installed on the respective computers?
• Which BIOS security options are activated?