Establish and maintain user account and access management

Status: Live

The organization will develop, disseminate, and review: 1) a formal standard to establish and maintain user account management that address all required and measurable items; and 2) formal procedures to facilitate implementing the standard. [UCF ID 00514]

Supporting and supported controls

This control directly supports:

    Establish an identification, authentication, and access rights management plan [UCF Control ID 00513]

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.2.d; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.1.a, ¶ .17 § 3.1.c, ¶ .20 § 3.4.a, ¶ .20 § 3.4.c, ¶ .24 § 3.5.a, ¶ .24 § 3.5.c, ¶ .29 § 3.4.a, ¶ .29 § 3.4.c; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 4.5; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 40, Exam Tier II Obj 2.7; System Security Plan (SSP) Procedure, Version 1.0, App A § 4.1; FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1, § 11.10(g); Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.308(a)(5)(ii)(C), § 164.308(a)(5)(ii)(D); Introductory Resource Guide for HIPAA NIST Special Publication 800-66, § 4.17; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-00301 R5.1, CIP-00301 R5.1.1, CIP-00301 R5.3; American Express Data Security Standard (DSS), § 2b; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 54; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-15.e; Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives, § 15.1(B); NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-609.a(3); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; GAO/PCIE Financial Audit Manual (FAM), § 295F.07; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.1, § 5.6.7, Exhibit 4 AC-2, Exhibit 4 AC-13, Exhibit 4 IA-4, Exhibit 8 Control 17, Exhibit 8 Control 18; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.5.2; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AC-2; CobiT 4.1, DS5.4; The Standard of Good Practice for Information Security, SM4.4.4(c), SM4.4.4(d); DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2, § 2.2 (WIR1100), § 3.4, § 3.5.1 thru § 3.5.3, App B.2; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3, § 2.2 (WIR1100), App B.1; DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2, § 3, § 5.5, § 6; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2100), § 3.4.5, App B.3; DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2, § 5 (WIR0450); ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 12.3, § G.3; ISO 17799:2005 Code of Practice for Information Security Management, § 11.2.1; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.11.2.3; ISO/IEC 27002-2005 Code of practice for information security management, § 11.2.1; OGC ITIL: Security Management, § 4.2; Australian Government ICT Security Manual (ACSI 33), § 2.7.38, § 3.6.21; Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.04(1); Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008, Table 4-2 Item 9, Table 4-2 Item 25; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007, Table 8-4 Item 37; Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008, § 4.1.2, § 4.1.6; Archer Control Table, ATCS-209, ATCS-286, ATCS-302, ATCS-307, ATCS-308; Center for Internet Security Mac OS X Tiger Level I Security Benchmark, v1.0 May 2008, § 2.7; Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition, Pg 23, Pg 24, Pg 42, Pg 43, Pg 45, Pg 65; DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11, § 3.2, § 5.7.1.7; DISA Windows XP Security Checklist, Version 6 Release 1.11, § 3.2; DISA Windows VISTA Security Checklist, Version 6 Release 1.11, § 3.1 (1.006); California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 4

Sarbanes Oxley Guidance

The access procedures should include procedures for granting system access privileges and permissions. [ID 8.2.2.d, AICPA/CICA Privacy Framework]

The registration and authorization process for new users and for updating or modifying user profiles should restrict logical access to the system. [¶ .17 § 3.1.a, ¶ .17 § 3.1.c, ¶ .20 § 3.4.a, ¶ .20 § 3.4.c, ¶ .24 § 3.5.a, ¶ .24 § 3.5.c, ¶ .29 § 3.4.a, ¶ .29 § 3.4.c, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

[Obj 4.5, FFIEC IT Examination Handbook – E-Banking, August 2003]

If a customer forgets his/her personal identification number (PIN), the customer should pick a new PIN instead of having the staff retrieve the old one. [Pg 40, Exam Tier II Obj 2.7, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

Calls for a description of user identification and authentication controls for the system, including mechanisms that provide the ability to verify users. This also involves the description of password management practices. [App A § 4.1, System Security Plan (SSP) Procedure, Version 1.0]

[§ 11.10(g), FDA Electronic Records; Electronic Signatures FDA 21 CFR Part 11+D1]

[§ 164.308(a)(5)(ii)(C), § 164.308(a)(5)(ii)(D), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

[§ 4.17, Introductory Resource Guide for HIPAA NIST Special Publication 800-66]

Energy Guidance

The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
Personnel shall be identified by name, title, business phone and the information for which they are responsible for authorizing access.
The Responsible Entity shall assess and document at least annually the processes for controlling access privileges to protected information. [CIP-00301 R5.1, CIP-00301 R5.1.1, CIP-00301 R5.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

The organization must set up administrative authority for resetting passwords, issuing temporary passwords and accessing payment data by restricting access to authorized employee groups and enabling the creation of audit trails. [§ 2b, American Express Data Security Standard (DSS)]

The login ID and the password used for the payment gateway system should not be the same. [Pg 54, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

US Federal Security Guidance

Passwords should be issued only to users who have the authorization to access the system or who require access to perform their duties. [§ 2-15.e, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization must implement and monitor the status of account management controls. [§ 15.1(B), Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives]

Entry to the system must only be granted in accordance with the profile settings for the authenticated user. [§ 8-609.a(3), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[§ 295F.07, GAO/PCIE Financial Audit Manual (FAM)]

US Internal Revenue Guidance

The organization must establish, activate, change, review, disable, and remove user accounts. System accounts must be reviewed at least annually. User identifiers must be managed by verifying all users; receiving authorization prior to issuing an identifier; disabling identifiers; and archiving identifiers. Passwords must not contain dictionary words or easily guessable combinations of letters and numbers. Passwords must never be written down or communicated in any way to another user. [§ 5.6.1, § 5.6.7, Exhibit 4 AC-2, Exhibit 4 AC-13, Exhibit 4 IA-4, Exhibit 8 Control 17, Exhibit 8 Control 18, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.5.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency].
Account management includes the identification of account types (i.e., individual, group, and system), establishment of conditions for group membership, and assignment of associated authorizations.
• The organization identifies authorized users of the information system and specifies access rights/privileges.
• The organization grants access to the information system based on:
1. a valid need-to-know/need-to-share that is determined by assigned official duties and satisfying all personnel security criteria; and
2. intended system usage.
• The organization requires proper identification for requests to establish information system accounts and approves all such requests.
• The organization specifically authorizes and monitors the use of guest/anonymous accounts and removes, disables, or otherwise secures unnecessary accounts.
• The organization ensures that account managers are notified when information system users are terminated or transferred and associated accounts are removed, disabled, or otherwise secured. Account managers are also notified when users’ information system usage or need-to-know/need-to-share changes. [AC-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

PIN codes should be random and long. For Bluetooth v2.0 or earlier, an 8-character, alphanumeric PIN should be used. For sensitive connections, fixed PINs should not be used. Portable devices with Bluetooth should use passwords to prevent unauthorized access if the device is stolen or lost. [Table 4-2 Item 9, Table 4-2 Item 25, Guide to Bluetooth Security, NIST Special Publication 800-121, September 2008]

The administrator password for access points should be strong and unique. [Table 8-4 Item 37, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST Special Publication 800-97, February 2007]

User authentication methods should be enabled on all cell phones and PDAs. The methods usually available on all devices are PINs and passwords. [§ 4.1.2, § 4.1.6, Guidelines on Cell Phone and PDA Security, NIST Special Publication 800-124, October 2008]

US State Laws and Protectorates Guidance

Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems. At a minimum, it must include secure user authentication protocols that control user IDs, that use a secure method for assigning and selecting passwords, that controls the passwords to ensure they are kept in a location and/or format that will prevent the compromise of the data, that restricts access to active accounts and users, and that blocks access after a certain number of unsuccessful attempts. [§ 17.04(1), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

Where possible, use technological means to restrict internal access to specific categories of personal information. [Part I ¶ 4, California OPP Recommended Practices on Notification of Security Breach, May 2008]

System Configuration Guidance

Non-administrator accounts should be used for normal day-to-day operations. If additional privileges are needed, the user will be prompted to enter an administrative userid and password. By using a non-administrator account, the system is being protected by only allowing malware or system defects to affect areas the user has access to, not the entire system. [§ 2.7, Center for Internet Security Mac OS X Tiger Level I Security Benchmark, v1.0 May 2008]

Administrator accounts should be used for administration purposes only. For day-to-day use, standard user accounts should be used. A user should be required to enter both a username and password when authenticating his/herself. [Pg 23, Pg 24, Pg 42, Pg 43, Pg 45, Pg 65, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition]

System Administrator accounts should be used for administration purposes only. For day-to-day use, System Administrators should use standard user accounts. Members of the Backup Operators group should have unique accounts assigned for the purpose of backing up the system. They should have standard user accounts for daily use. [§ 3.2, § 5.7.1.7, DISA Windows Server 2003 Security Checklist Version 6 Release 1.11, Version 6 Release 1.11]

System Administrators should be assigned standard user accounts for their daily non-administration tasks. Their System Administrator userIDs and passwords should be used only when they are performing administrative tasks. [§ 3.2, DISA Windows XP Security Checklist, Version 6 Release 1.11]

Each Administrator should have a separate standard account for his/her daily non-administrative tasks. [§ 3.1 (1.006), DISA Windows VISTA Security Checklist, Version 6 Release 1.11]

Other Configuration Guidance

CAC or PIN authentication should be used to unlock wireless e-mail devices. If PIN authentication is used, the number of incorrect passwords before a device wipe occurs should be set to 10 or less; passwords should be changed at least once every 90 days; and the PIN should be set to 5 or more characters (8 or more is recommended). If 5 characters are used, the PIN should include a letter and a number. If 6 or more characters are used, only numbers should be used. Certificate passwords, Service Account passwords, Sensa Admin passwords, and Trust Digital administrative account passwords should be compliant with the organization's procedures. [§ 2.2 (WIR1100), § 3.4, § 3.5.1 thru § 3.5.3, App B.2, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2]

Wireless e-mail devices should use either CAC or PIN authentication to unlock the device. If PIN authentication is used, the number of incorrect passwords before a device wipe occurs should be set to 10 or less; passwords should be changed at least once every 90 days; and the PIN should be set to 5 or more characters (8 or more is recommended). If 5 characters are used, the PIN should include a letter and a number. If 6 or more characters are used, only numbers should be used. The Good Management Server Security policy rule "Require Password" should be checked and "S/MIME Password Type" should be set to either "Normal" or "User CAC PIN and require CAC". These are located under the Password tab. [§ 2.2 (WIR1100), App B.1, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, V5R2.3, Version 5 Release 2.3]

All communications devices and devices that access the network remotely must be protected by passwords. Passwords must, at a minimum, be created and maintained in accordance with DoD Instruction 8500.2. All Administrator passwords used on remote devices and other communications devices must be recorded by the Information Assurance Officer and stored in a secure manner. [§ 3, § 5.5, § 6, DISA Secure Remote Computing Security Technical Implementation Guide version 1.2, Version 1, Release 2]

Wireless e-mail devices should use either CAC or Password authentication to unlock the device. If Password authentication is used, the number of incorrect passwords before a device wipe occurs should be set to 10 or less; passwords should be changed at least once every 90 days; and the password should be set to 5 or more characters (8 or more is recommended). If 5 characters are used, the password should include a letter and a number. If 6 or more characters are used, only numbers should be used. If CAC authentication is not available for Administrative passwords, the passwords should be at least 9 characters and should contain at least 2 lowercase letters, 2 uppercase letters, 2 numbers, and 2 special characters. During INFOCON Level 4, the minimum password length should be 15 characters. The Trust Digital security policy rule "Minimum Password Length" should be set to 6 or more, "Password Expiration" should be set to 90 days, and "Password Failure Action" should be Enabled (enter 10 or less and select "Wipe All Data". This is located under Policy Manager/Power-on Password. [§ 2.2 (WIR2100), § 3.4.5, App B.3, DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5,Release 2.4, Version 5 Release 2.4]

PDAs and Smart phones should use either CAC or PIN authentication to unlock the device. If PIN authentication is used, the number of incorrect passwords before a device wipe occurs should be set to 10 or less; passwords should be changed at least once every 90 days; and the PIN should be set to 5 or more characters (8 or more is recommended). If 5 characters are used, the PIN should include a letter and number. If 6 or more characters are used, only numbers should be used.
Interview the Information Assurance Officer (IAO) and the Security Administrator to verify that PIN or CAC authentication is used, and if PIN authentication is used, verify it is configured correctly. [§ 5 (WIR0450), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2]

ISO Guidance

The system should be able to verify that user-generated secrets (for example, passwords) meet the organization's defined standards. The system also should be able to generate secrets that meet the defined standards and be able to provide a list of functions, such as a password-based authentication system, that must use the secret to operate. [§ 12.3, § G.3, ISO/IEC 15408-2:2008 Common Criteria for Information Technology Security Evaluation Part 2, 2008]

A formal process should be in place for the granting and revoking of access to information systems. The access control procedures should include issuing unique IDs; checking the level of access; giving users a written statement of their rights; requiring users to sign a statement that they understand their rights; maintaining a record of who has access; and periodically checking and removing redundant user IDs. [§ 11.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

A formal procedure should be in place describing the password distribution process when the organization requires personnel to use passwords. [Annex A.11.2.3, ISO 27001:2005, Information Security Management Systems - Requirements]

A formal process should be in place for the granting and revoking of access to information systems. The access control procedures should include issuing unique IDs; checking the level of access; giving users a written statement of their rights; requiring users to sign a statement that they understand their rights; maintaining a record of who has access; and periodically checking and removing redundant user IDs. [§ 11.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2, OGC ITIL: Security Management]

General Guidance

The organization should ensure that requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges are addressed by user account management. An approval procedure outlining the data or system owner granting the access privileges should be included. These procedures should apply for all users, including administrators (privileged users), internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges. [DS5.4, CobiT 4.1]

The identity and access management policy should provide measures for authorizing and administering user access privileges consistently throughout the organization. [SM4.4.4(c), SM4.4.4(d), The Standard of Good Practice for Information Security]

Asia and Pacific Rim Guidance

The use of privileged accounts should be kept to a minimum. User account management should be used to promote and maintain the security of the system. [§ 2.7.38, § 3.6.21, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.