User Authentication for Network Gateway Access
Ensure users verify their identity before accessing networks through gateways.
Plain language
This control is about making sure people prove who they are before they can access your network through special entry points called gateways. If you don't do this, anyone pretending to be someone else could get in, leading to leaks of sensitive information or disruption of your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for gatewaysSection
GatewaysOfficial control statement
Users authenticate to other networks accessed via gateways.
Why it matters
Without gateway user authentication, attackers can impersonate valid users, gaining unauthorised access to sensitive networks and disrupting critical services.
Operational notes
Implement per-user authentication on gateways and regularly audit gateway access logs to detect and respond to unauthorised attempts swiftly.
Implementation tips
- IT team should install authentication software: Choose a reliable software that requires users to enter a username and password or another form of identity verification before accessing the network through gateways. Ensure it’s installed on all gateway entry points and is easy for users to understand.
- System owners need to maintain a list of authorised users: Create a list of individuals who are allowed to access the network through these gateways. Update it every time someone joins or leaves the team, so only the right people have access.
- Managers should train their staff on security protocols: Arrange short training sessions to explain why authentication is necessary and how to correctly use the verification tools. This keeps everyone informed and helps prevent mistakes.
- HR should coordinate with IT to update access rights: Whenever there’s a staffing change, immediately inform the IT team to remove access for departing staff and set up access for new employees through the gateways.
- Conduct regular access reviews: System owners should schedule quarterly reviews of who’s accessing the network via gateways, ensuring that only current, authorised users are on the list. Adjust access rights promptly as needed.
Audit / evidence tips
-
Askthe user access list: Request a copy of the current list of users authorised to access the network through gateways
Goodlist will be up-to-date, reflecting only current staff needing access
-
Askto see authentication logs: Request logs that show instances of users logging into the network via gateways
Goodlog will show a small number of failed attempts and all accesses during expected work hours
-
Askevidence of training sessions: Collect records or attendance lists from security training sessions about the authentication process
-
Askto review recent access changes: Request documentation of recent staffing changes and corresponding updates to access rights through the gateways
-
Askto observe a verification test: Have a member of staff demonstrate the authentication process for accessing the network
Cross-framework mappings
How ISM-0619 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.5 | ISM-0619 requires users to authenticate to other networks accessed via gateways | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML1.1 | ISM-0619 requires users to authenticate when accessing other networks via network gateways | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.