Professional Documents
Culture Documents
ACPL-ISMS-C8.5 Secure Authentication Policy
ACPL-ISMS-C8.5 Secure Authentication Policy
Document ID ACPL-ISMS-C8.5
Document Classification Internal
Issue Date (effective from) 01.12.2023
Version No 1.0
Latest Review Date 01.12.2023
1. Control statement:
2. Purpose:
To ensure a user or an entity is securely authenticated, when access to systems, applications and
services is granted.
3. Scope:
This policy covers the authorization to the information assets and other associated assets depending
upon the classification of the assets.
4. Procedure:
a) Where strong authentication and identity verification is required, authentication methods alternative
to passwords, such as digital certificates, smart cards, tokens or biometric means, should be used.
(presently we use password and bio-metric)
c) The biometric authentication system if used should have at least one alternative methods because it
may get failed due to moisture or aging etc.
The procedure for logging into a system or application should be designed to minimize the risk of
unauthorized access. Log-on procedures and technologies should be implemented considering the
following:
a) Not displaying sensitive system or application information until the log-on process has been
successfully completed in order to avoid providing an unauthorized user with any unnecessary
assistance;
b) Displaying a general notice warning that the system or the application or the service should only be
accessed by authorized users;
c) Not providing help messages during the log-on procedure that would aid an unauthorized user (e.g. if
an error condition arises, the system should not indicate which part of the data is correct or incorrect);
Doc ID: ACPL-ISMS-C8.5 Version 1.0 Last Rev. Date: 01.12.2023 Page 2 of 3
This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.
Secure authentication Policy
e) protecting against brute force log-on attempts on usernames and passwords [e.g. using completely
automated public Turing test to tell computers and humans apart (CAPTCHA), requiring password reset
after a predefined number of failed attempts or blocking the user after a maximum number of errors];
presently no use of CAPTCHA.
g) Raising a security event if a potential attempted or successful breach of log-on controls is detected
(e.g. sending an alert to the user and the organization’s system administrators when a certain number
of wrong password attempts has been reached);
i. Date and time of the previous successful log-on ( can be viewed on admin portal)
ii. Details of any unsuccessful log-on attempts since the last successful log-on;( for each
unsuccessful attempt ,a mail will be generated to admin e-mail id)
i) Not displaying a password in clear text when it is being entered; in some cases, it can be required to
de-activate this functionality in order to facilitate user log-on (e.g. for accessibility reasons or to avoid
blocking users because of repeated errors);
j) Not transmitting passwords in clear text over a network to avoid being captured by a network
"sniffer” program;
k) Terminating inactive sessions after a defined period of inactivity, especially in high risk locations such
as public or external areas outside the organization’s security management or on user endpoint
devices;: It depends on the policy of the client because we work on the client portal only.
l) Restricting connection duration times to provide additional security for high-risk applications and
reduce the window of opportunity for unauthorized access. ( not applicable)
5. Revision History
Doc ID: ACPL-ISMS-C8.5 Version 1.0 Last Rev. Date: 01.12.2023 Page 3 of 3
This document is confidential and must not be shared or copied without written permission from
Aethereus Consulting. Please return or destroy upon request.