Secure Logon Procedure¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
Document Type: Procedure | Owner: CISO | Classification: Confidential | Review Cycle: Annual
| Field | Detail |
|---|---|
| Document # | SP-SL-032 |
| Version | V1.2 |
| Issue Date | 08/09/2025 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Document Owner | Head of Network and Infrastructure |
| Authorised By | Yassir Pasha |
Document Creation¶
| Field | Detail |
|---|---|
| Document # | SP-SL-032 |
| Document Title | Secure Logon Procedure |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 12/03/2021 |
| Issue Date | 08/09/2025 |
| Document Owner | Head of Network and Infrastructure |
| Author(s) | Simpaisa |
| Purpose | To ensure that Secure Logon Procedures are in place and followed |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs & Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 16/06/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 08/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1 Log On Procedures¶
Access to host-based IT services should be via a secure logon process. The procedure for logging on to a computer system should be designed to minimise the opportunity for unauthorised access. The procedure should therefore disclose the minimum information about the system to avoid providing an unauthorised user with unnecessary assistance.
The following is an example of a logon procedure:
a) System Logon¶
-
No system or application identifiers are to be displayed until the logon process has been successfully completed.
-
A notice warning that the computer is only to be accessed by authorised users must be displayed.
-
No help messages are to be provided during the logon procedure that would aid an unauthorised user.
-
Logon information is to be validated only on completion of all input data.
-
If an error condition arises, the system must not indicate which part of the data is correct or incorrect.
-
No more than three unsuccessful logon attempts are to be allowed before action is taken to:
-
Record the unsuccessful attempt;
-
Force a time delay before further logon attempts are allowed; and
-
Disconnect data link connection.
-
-
The workstation should be disconnected and give no assistance after a rejected logon attempt. The maximum time allowed for the logon procedure is 30 seconds. If exceeded, the system must terminate the logon process.
-
On completion of a successful logon, the date and time of the previous successful logon and details of any subsequent unsuccessful logon attempts must be displayed.
-
Lockout duration is set to a minimum of 30 minutes or until an administrator enables the user ID.
-
If a session has been idle for more than 15 minutes, it requires the user to re-authenticate to re-activate the terminal or session.
2 Unattended Devices¶
Device users such as laptop and mobile users need to be instructed not to leave their devices unattended while in use. All devices need to be password protected.