3. User Access Control

The goal of this control is to ensure user accounts are assigned to authorised individuals only, and to employ principles of least privilege.

This control expects organisations to:

• Have a process for user account creation and approval.

• Authenticate users before allowing access to devices or systems with sufficiently strong credentials.

• Remove or deactivate user accounts that are no longer required.

• Enable MFA where possible.

• Have separate accounts for performing only administrative activities. Accounts where general user activities are performed (browsing the internet, emailing, etc.) should not be used for anything administrative.

• Remove or disable administrative and special privileges when they are no longer needed.

Password-based authentication

• Passwords are protected against brute-forcing with at least one of the following protections:

  • Activating MFA.

  • Configuring wait times between attempts. These should allow no more than 10 guesses in 5 minutes.

  • Locking accounts after no more than 10 unsuccessful attempts.

• Password quality is managed with at least one of the following protections:

  • Activating MFA.

  • A minimum password length of at least 12 characters, with no maximum length restrictions.

  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.

• Employees are supported and encouraged to choose strong passwords for their accounts by:

  • Training employees on how to avoid common and weak passwords by avoiding using discoverable information. This could include training employees to use a password manager's in-built password generation.

  • Encouraging employees to use longer passwords.

  • Providing employees and training them on how to use secure storage for passwords, e.g. a password manager.

  • Not enforcing regular password expiry.

  • Not enforcing password complexity requirements.

• There is a process to enforce password changes if it is suspected a password or account has been compromised.

Multi-Factor Authentication (MFA)

As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrative accounts and accounts that are accessible from the internet.

The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.

There are four types of additional factors that may be considered:

• A managed/enterprise device

• An app on a trusted device

• A physically separate token

• A known or trusted account

Additional factors should be chosen so that they are usable and accessible. This may require user testing to verify if a factor is suitable for the users.