Establish and maintain a user identification and authentication metrics program.

UCF ID: 02073

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a technical measurement metrics policy. [UCF Control ID 01655]

This control has the following supporting controls:

Report on the number of active user IDs assigned to only one person. [UCF Control ID 02074]

Report on the percentage of systems and applications that perform password policy verification. [UCF Control ID 02086]

Report on the percentage of active user passwords that are set to expire in accordance with the password policy. [UCF Control ID 02087]

Report on the percentage of systems with critical information assets that use stronger authentication than user IDs and passwords in accordance with the password policy. [UCF Control ID 02088]

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE18; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.1

US Federal Security Guidance

The organization must measure and report on user Identification and Authentication. [ISPE18, CISWG Information Security Program Elements, January 10,2005]

ISO Guidance

Identification and Authentication (I&A). An organization should implement safeguards which assure Identification and Authentication. Identification is the means by which a user provides a claimed identity to a system. Authentication is the means of establishing the validity of this claim. The following ways are examples of how to achieve I&A safeguards (other ways of classifying I&A mechanisms are possible).
1. I&A (Identification and Authentication) Based on Something the User Knows.
Passwords are the most typical way to provide I&A based on something the user knows linked with a user identification process. The allocation of passwords and their regular change should be controlled. If users are choosing the passwords themselves, they should be aware of the common rules for password design and handling. Software can be used to support this, for example by limiting the use of common passwords or patterns and characters. If it is necessary or wanted, copies of passwords should be stored securely to allow authorized access if the user is not available or has forgotten the password. I&A based on something the user knows can also make use of cryptographic means and authentication protocols. This type of identification and authentication can also be used for remote I&A.
2. I&A (Identification and Authentication) Based on Something the User Possesses.
Objects that users possess for the purpose of I&A can be memory tokens and smart tokens. A common application of memory tokens is the magnetic material on the back of a credit card. Authentication is provided based on something the user possesses (the card) and something the user knows (the PIN). Typical examples of smart tokens are smart cards.
3. I&A (Identification and Authentication) Based on Something the User Is.
Biometric authentication technologies use the unique characteristics or attributes of an individual to authenticate the person’s identity. This could be fingerprints, hand geometry, retina pattern, as well as voice patterns or hand-written signatures. Relevant details can be securely stored on smart cards, or a system. [¶ 8.2.1, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]