S 4.16 Restrictions on access to accounts and/or terminals

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

The account and/or terminal of a user should be blocked outside regular working hours. If this involves an unreasonable amount of time and effort (for instance in case of very irregular or frequently changing working hours), blocking should be effected at least during the standard non-working periods.

If staff members are employed only on one particular terminal or IT system within the network, use of the user ID and of the associated password is to be confined to this computer so that logging-in from another computer will be precluded.

For terminals under Unix, the respective user must be entered as the owner of the given logical device. When he has logged out, root should automatically be installed as the owner. Only the respective user should have read access for this purpose. If a user wishes to receive messages from other system users (e.g. through talk), he must grant them write-access rights to the device driver. The actual need for this must be checked.

In PC networks, the number of simultaneous log-ons under one account from several PCs can be restricted. For protection against unnoticed penetration by intruders, provisions should be made to prevent users from signing-on for several PCs at the same time.

Additional controls:

• Have time frames, i.e. temporary access restrictions, been established for all accounts and terminals?