Secure authentication Policy

Document ID ACPL-ISMS-C8.5
Document Classification Internal
Issue Date (effective from) 01.12.2023
Version No 1.0
Latest Review Date 01.12.2023

Nitin Gupta Kunal Parikh Vijay Gupta

CISO Director Director

Prepared By Reviewed By Approved By

Secure authentication Policy

1. Control statement:

Secure authentication technologies and procedures should be implemented based on information

access restrictions and the topic-specific policy on access control.

2. Purpose:

To ensure a user or an entity is securely authenticated, when access to systems, applications and
services is granted.

3. Scope:

This policy covers the authorization to the information assets and other associated assets depending
upon the classification of the assets.

4. Procedure:

a) Where strong authentication and identity verification is required, authentication methods alternative
to passwords, such as digital certificates, smart cards, tokens or biometric means, should be used.
(presently we use password and bio-metric)

b) Authentication information are accompanied by additional authentication factors for accessing

critical information systems as multi-factor authentication ie. E-mail and Google cloud.

c) The biometric authentication system if used should have at least one alternative methods because it
may get failed due to moisture or aging etc.

The procedure for logging into a system or application should be designed to minimize the risk of
unauthorized access. Log-on procedures and technologies should be implemented considering the
following:

a) Not displaying sensitive system or application information until the log-on process has been
successfully completed in order to avoid providing an unauthorized user with any unnecessary
assistance;

b) Displaying a general notice warning that the system or the application or the service should only be
accessed by authorized users;

c) Not providing help messages during the log-on procedure that would aid an unauthorized user (e.g. if
an error condition arises, the system should not indicate which part of the data is correct or incorrect);

Doc ID: ACPL-ISMS-C8.5 Version 1.0 Last Rev. Date: 01.12.2023 Page 2 of 3

This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.
Secure authentication Policy

d) Validating the log-on information only on completion of all input data;

e) protecting against brute force log-on attempts on usernames and passwords [e.g. using completely
automated public Turing test to tell computers and humans apart (CAPTCHA), requiring password reset
after a predefined number of failed attempts or blocking the user after a maximum number of errors];
presently no use of CAPTCHA.

f) Logging unsuccessful and successful attempts;

g) Raising a security event if a potential attempted or successful breach of log-on controls is detected
(e.g. sending an alert to the user and the organization’s system administrators when a certain number
of wrong password attempts has been reached);

h) Displaying or sending the following information on a separate channel on completion of a successful

log-on:

i. Date and time of the previous successful log-on ( can be viewed on admin portal)

ii. Details of any unsuccessful log-on attempts since the last successful log-on;( for each
unsuccessful attempt ,a mail will be generated to admin e-mail id)
i) Not displaying a password in clear text when it is being entered; in some cases, it can be required to
de-activate this functionality in order to facilitate user log-on (e.g. for accessibility reasons or to avoid
blocking users because of repeated errors);

j) Not transmitting passwords in clear text over a network to avoid being captured by a network
"sniffer” program;

k) Terminating inactive sessions after a defined period of inactivity, especially in high risk locations such
as public or external areas outside the organization’s security management or on user endpoint
devices;: It depends on the policy of the client because we work on the client portal only.

l) Restricting connection duration times to provide additional security for high-risk applications and
reduce the window of opportunity for unauthorized access. ( not applicable)

5. Revision History

Revision Date Description Author

1.0 01.12.2023 Initial release CISO

Doc ID: ACPL-ISMS-C8.5 Version 1.0 Last Rev. Date: 01.12.2023 Page 3 of 3

This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.