A.11.5 Operating system access control

Objective: To prevent unauthorized access to operating systems.

A.11.5.1 Secure log-on procedures

Control

Access to operating systems shall be controlled by a secure log-on procedure.

A.11.5.2 User identification and authentication

Control

All users shall have a unique identifier (user ID) for their personal use only, and a suitable authentication technique shall be chosen to substantiate the claimed identity of a user.

A.11.5.3 Password management system

Control

Systems for managing passwords shall be interactive and shall ensure quality passwords.

A.11.5.4 Use of system utilities

Control

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

A.11.5.5 Session time-out

Control

Inactive sessions shall shut down after a defined period of inactivity.

A.11.5.6 Limitation of connection time

Control

Restrictions on connection times shall be used to provide additional security for high-risk applications.