Control the addition and modification of user IDs, credentials, or other identifier objects.

UCF ID: 00515
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 8.2.2.c; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 1.2.d, ¶ .20 § 1.2.d, ¶ .24 § 1.2.d, ¶ .29 § 1.2.d; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 33, Obj 4.6; FFIEC IT Examination Handbook – Information Security, Pg 33, Exam Tier II Obj A.4 (Authentication), Exam Tier II Obj A.10 (Authentication), Exam Tier II Obj A.14 (Authentication); FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier II Obj 4.1; Health Insurance Portability and Accountability Act of 1996 (HIPAA), § 164.312(a)(2)(i); North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-007-1 R5.1.1; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 7.1.4, § 8.5.1; VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business, Pg 32; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-15.d; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-303.g; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.7, Exhibit 4 IA-4; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.11.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § AC-2(c), App F § AC-2(d); Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-2.1, AC-2.3, AC-2(1), IA-4.1; The Standard of Good Practice for Information Security, SM4.4.6(a); Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts, § 17.04(1)(a); Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 7.1.4, § 8.5.1; Italy Personal Data Protection Code, Annex B.6; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.1(1)

Banking and Finance Guidance

The organization should enforce password requirements and provide password picking guidance to customers and employees to reduce the risk of a password being compromised. [Pg 33, Obj 4.6, FFIEC IT Examination Handbook – E-Banking, August 2003]

When a user needs to have his/her authentication information reissued due to forgetting the password or losing a token, the organization should verify the identity of the individual. [Pg 33, Exam Tier II Obj A.4 (Authentication), Exam Tier II Obj A.10 (Authentication), Exam Tier II Obj A.14 (Authentication), FFIEC IT Examination Handbook – Information Security]

[Exam Tier II Obj 4.1, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

Healthcare and Life Science Guidance

[§ 164.312(a)(2)(i), Health Insurance Portability and Accountability Act of 1996 (HIPAA)]

Energy Guidance

The Responsible Entity shall ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5. [CIP-007-1 R5.1.1, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

Payment Card Guidance

The organization must ensure it has developed a password and user authentication management program that controls the addition, modification, and deletion of userIDs, credentials, and other identified objects.
Examine a sample of userIDs to verify all userIDs of both general users and Administrators have an authorization form and the privileges for each user are the same as what is authorized on the authorization form.
Interview personnel to ensure they must request authorization prior to being given access to the system. [§ 7.1.4, § 8.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

When customers forget their password, they should be asked the security question they chose and answered during registration. If they answer correctly, they should be allowed to change their password. [Pg 32, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business]

The organization must ensure it has developed a password and user authentication management program that controls the addition, modification, and deletion of userIDs, credentials, and other identified objects. [§ 7.1.4, § 8.5.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

US Federal Security Guidance

Passwords should be generated by random generator software. [§ 2-15.d, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Active userIDs must be revalidated at least annually. [§ 8-303.g, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Calls for Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

US Internal Revenue Guidance

User accounts must be authorized by an organization official prior to being issued. Operating procedures must be developed to validate the validity of users whose privileges have been revoked or suspended by the computer system. [§ 5.6.7, Exhibit 4 IA-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

[§ 3.11.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § AC-2(c) The organization must develop information system account management procedures that authorize users and establish access privileges.
App F § AC-2(d) The organization must develop information system account management procedures that require approvals for to establish accounts. [App F § AC-2(c), App F § AC-2(d), Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the activation, addition, modification, disabling, and removal of user accounts are accomplished in accordance with documented procedures and userIDs are issued to the correct personnel after being approved by an appropriate individual. [AC-2.1, AC-2.3, AC-2(1), IA-4.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

US State Laws and Protectorates Guidance

Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all computers and wireless systems and must include controls for user IDs and other identifiers. [§ 17.04(1)(a), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts]

ISO Guidance

Identification and Authentication (I&A). An organization should implement safeguards which assure Identification and Authentication. Identification is the means by which a user provides a claimed identity to a system. Authentication is the means of establishing the validity of this claim. The following ways are examples of how to achieve I&A safeguards (other ways of classifying I&A mechanisms are possible).
1. I&A (Identification and Authentication) Based on Something the User Knows.
Passwords are the most typical way to provide I&A based on something the user knows linked with a user identification process. The allocation of passwords and their regular change should be controlled. If users are choosing the passwords themselves, they should be aware of the common rules for password design and handling. Software can be used to support this, for example by limiting the use of common passwords or patterns and characters. If it is necessary or wanted, copies of passwords should be stored securely to allow authorized access if the user is not available or has forgotten the password. I&A based on something the user knows can also make use of cryptographic means and authentication protocols. This type of identification and authentication can also be used for remote I&A. [¶ 8.2.1(1), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

The access procedures should include procedures on how to change and update user profiles. [ID 8.2.2.c, AICPA/CICA Privacy Framework]

The procedures for adding, modifying, or deleting user accounts should be included in the organization's security policy, system availability policy, system processing integrity policy, and system confidentiality policy. These policies should restrict logical access to the system. [¶ .17 § 1.2.d, ¶ .20 § 1.2.d, ¶ .24 § 1.2.d, ¶ .29 § 1.2.d, AICPA Suitable Trust Services Principles and Criteria]

The identity and access management policy should ensure access rights can be quickly changed or removed for groups of users. [SM4.4.6(a), The Standard of Good Practice for Information Security]

Other European and African Guidance

Another person in charge of processing may not be assigned an ID code that has been used by a person in charge of processing, even at a different time. [Annex B.6, Italy Personal Data Protection Code]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.