Establish, implement, and maintain User Access Management procedures., CC ID: 00514
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework., CC ID: 00526
Protect and manage biometric systems and biometric data., CC ID: 01261
Document the business need justification for authentication data storage., CC ID: 06325
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
AIs should identify the locations of customer data residing in different parts of AIs' networks and systems and ensure that adequate logical access controls are in place at different levels (e.g. application level, database level, operating system level, network level) to prevent unauthorized access… (Annex C. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
T26.2: The organization should implement the following security controls for personal identification numbers (PINs) and passwords: reject small or NULL passwords or PINs; set passwords and PINs to expire and prompt users to change them; not allow users to use their previous two passwords; define imp… (T26.2, T36, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Internal sabotage, clandestine espionage or furtive attacks by trusted staff, contractors and vendors are potentially among the most serious risks that FIs could face in an increasingly complex and dynamic IT environment. Current and past staff, contractors, vendors and those who have knowledge of t… (§ 9.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
Users and services accessing networks through gateways are authenticated. (Security Control: 0619; Revision: 5, Australian Government Information Security Manual, March 2021)
Only users and services authenticated and authorised to a gateway can use the gateway. (Security Control: 0620; Revision: 4, Australian Government Information Security Manual, March 2021)
The procedures for implementing access rights to data and applications should be included in the Standard Operating Procedures for the System Administrator. (Control: 0055 Table Row "Access control", Australian Government Information Security Manual: Controls)
The organization must ensure the identification, authentication, and audit mechanisms for the Multi-Function Device are of similar strength as it is for for workstations on the network, when the Multi-Function Device is connected to a computer network that is able to communicate to another network b… (Control: 0590 Bullet 2, Australian Government Information Security Manual: Controls)
The organization must establish and maintain policies and procedures for identification, authentication, and authorization. (Control: 0413 Bullet 1, Australian Government Information Security Manual: Controls)
Authentication and authorization should be used for all actions, including call setup, on the video conferencing network. (Control: 0553 Bullet 1, Australian Government Information Security Manual: Controls)
Authentication and authorization should be used for all actions, including changing settings, on the video conferencing network. (Control: 0553 Bullet 2, Australian Government Information Security Manual: Controls)
The organization must ensure that only users who have been authorized and authenticated to the gateway can use the gateway. (Control: 0620, Australian Government Information Security Manual: Controls)
The organization should implement measures for identifying and authenticating users and Information Technology assets. (¶ 40, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should normally require the use of increased authentication strength for remote access to critical or sensitive Information Technology assets. (¶ 42(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The organization should normally require the use of increased authentication strength for high-risk activities. (¶ 42(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
identification, authorisation and granting of access to information assets (refer to Attachment C for further guidance); (21(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
identification, authorisation and granting of access to IT assets (by individuals and other IT assets); (¶ 27(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
The organization should develop policies and procedures for user identification, user authentication, and user authorization. All personnel should be made aware of these policies and procedures. (§ 3.6.2, § 3.10.14, Australian Government ICT Security Manual (ACSI 33))
(§ G.4.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administ… (Art. 9.4. ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
identity and authorisation management, (§ 8.1 Subsection 5 ¶ 2 Bullet 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Requirements for the approval and documentation of the management of system and data access authorisations (Section 5.7 IDM-01 Basic requirement ¶ 1 Bullet 6, Cloud Computing Compliance Controls Catalogue (C5))
User access rights concepts define the scope and the conditions of use for access rights to IT systems in a manner that is consistently in line with the determined protection requirements and can be completely and comprehensibly deduced for all access rights for an IT system. User access rights conc… (II.5.24, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
The control bodies responsible for setting up, changing, deactivating or deleting access rights shall also be involved in reviewing whether access rights granted are still required and whether these comply with the requirements contained in the user access rights concept (recertification). (II.5.27, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
The setting up, changing, deactivating and deleting of access rights and recertification shall be documented in a way that facilitates comprehension and analysis. (II.5.28, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
The requirements for the management of access rights (authorization) are determined and fulfilled. The following aspects are considered: (4.2.1 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
Procedure for application, verification and approval, (4.2.1 Requirements (must) Bullet 1 Sub-Bullet 1, Information Security Assessment, Version 5.1)
The processing of personal data by electronic means will only be allowed if the following minimum security measures are implemented with the technical specifications stated in Annex B of this Code: computerized authentication; authentication credentials management procedures; and an authorization sy… (§ 34.1(a) thru § 34.1(c), Italy Personal Data Protection Code)
identity and access management, which should include stricter controls for individuals whose role can create a higher risk in the event of unauthorised access, (eg systems administrators). Firms should be particularly vigilant about privileged accounts becoming compromised as a result of phishing at… (§ 7.11 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
(§ 4.2.4, OGC ITIL: Security Management)
(§ IV, OECD / World Bank Technology Risk Checklist, Version 7.3)
All users must be authenticated before accessing eGuide. (§ 2.9, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
Physical access rights and logical access rights for all operators must be clearly defined and controlled. (¶ 19.3 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Electronic signatures or an authentication or identification method should be used when a computerized gxp system can be accessed externally. (¶ 21.5 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Electronic signatures, authentication methods, or identification methods should be used when the system electronically generates gxp regulatory records. (¶ 21.5 Bullet 2, Good Practices For Computerized systems In Regulated GXP Environments)
Electronic signatures, authentication methods, or identification methods should be used when an electronic interface is used to make key decisions and actions. (¶ 21.5 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
The authorized user logons for specific applications must be controlled and managed. (¶ 21.8 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Defined procedures should exist for issuing, canceling, and altering authorization to enter data and correct data, including changing personal passwords. (¶ 8, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems… (DS5.3 Identity Management, CobiT, Version 4.1)
Examine system settings and vendor documentation to verify that an access control system is implemented. (§ 7.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Confirm that Access Control Systems are in place on all system components. (§ 7.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
For each type of authentication method used and for each type of system component, observe an authentication to verify authentication is functioning consistent with documented authentication method(s). (§ 8.2 Bullet 2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Interview personnel and examine documentation to verify security policies and operational procedures for Identification and Authentication have been documented. (Testing Procedures § 8.8 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Interview personnel and examine documentation to verify security policies and operational procedures for Identification and Authentication have been implemented. (Testing Procedures § 8.8 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Verify access to the identification process is limited to authorized personnel. (Testing Procedures § 9.2.c, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Examine system settings and vendor documentation to verify that an access control system is implemented. (§ 7.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to âdeny allâ unless specifically allowed. (§ 7.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Confirm that access control systems are in place on all system components. (§ 7.2.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Confirm that access control systems are in place on all system components. (§ 7.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Each role's access needs must be defined for the level of privilege required to access resources. (PCI DSS Requirements § 7.1.1. Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Policies and procedures must be defined and implemented to ensure the proper user management identification for administrators and non-consumer users on all system components. (PCI DSS Requirements § 8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Security policies and operational procedures for Identification and Authentication must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Define access needs for each role, including:
- System components and data resources that each role needs to access for their job function
- Level of privilege required (for example, user, administrator, etc.) for accessing resources. (7.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are policies and procedures for user identification management controls defined and in place for non-consumer users and administrators on all system components, as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is access to system components and cardholder data limited to only those individuals whose jobs require such access, as follows:
- Is there a written policy for access control that incorporates the following?
- Defining access needs and privilege assignments for each role
- Restriction of access to… (7.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Are policies and procedures for user identification management controls defined and in place for non-consumer users and administrators on all system components, as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is there a written policy for access control that incorporates the following?
- Defining access needs and privilege assignments for each role
- Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities,
- Assignment of access based on individual perso… (7.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is there a written policy for access control that incorporates the following?
- Defining access needs and privilege assignments for each role
- Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities,
- Assignment of access based on individual perso… (7.1 Bullet, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are policies and procedures for user identification management controls defined and in place for non-consumer users and administrators on all system components, as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is there a written policy for access control that incorporates the following?
- Defining access needs and privilege assignments for each role
- Restriction of access to privileged user IDs to least privileges necessary to perform job responsibilities,
- Assignment of access based on individual perso… (7.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are policies and procedures for user identification management controls defined and in place for non-consumer users and administrators on all system components, as follows: (8.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Are security policies and operational procedures for identification and authentication:
- Documented
- In use
- Known to all affected parties? (8.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
Review procedures and confirm they define processes for each of the items below at 8.1.1 through 8.1.8 (8.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Verify that procedures are implemented for user identification management, by performing the following: (8.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Examine documentation and interview personnel to verify that security policies and operational procedures for identification and authentication are:
- Documented,
- In use, and
- Known to all affected parties. (8.8, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
Unique usernames and secure authentication should be used to gain administrative access, for access to any cardholder data, and to access PCs, servers, and payment databases. Changing this setting in the application after installation may result in noncompliance with PCI DSS. (§ 3.1, § 3.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
An access control model is defined and includes granting access as follows: (7.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine documented policies and procedures and interview personnel to verify the access control model is defined in accordance with all elements specified in this requirement. (7.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Are authentication procedures and policies documented and communicated to all users? (PCI DSS Question 8.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are security policies and operational procedures for identification and authentication documented, in use, and known to all affected parties? (PCI DSS Question 8.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Are authentication procedures and policies documented and communicated to all users? (PCI DSS Question 8.4(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Are security policies and operational procedures for identification and authentication documented, in use, and known to all affected parties? (PCI DSS Question 8.8, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
An access control model is defined and includes granting access as follows: (7.2.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
An access control model is defined and includes granting access as follows: (7.2.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The organization should consider requiring customers to become members of the web site. Employee access to the customer information should be limited. (Pg 73, Pg 75, Pg 78, Pg 81, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
Access control and authentication policies should be included in the data protection efforts for ensuring network security. (§ 5.2 (Network Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
General application security controls must be reviewed when the application's logical access controls are performed. The general application security controls to review include: the length of the username, user identification, and password; the password age, character combinations, and rotation; loc… (§ 4 (Access Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
Many individuals only think of humans when identities are discussed. However, there are also service accounts, machines, and other non-human identities. Failing to control these other identities and their access can hurt the overall control framework. The process for requesting creation or deletion … (§ 3 ¶ 2, § 3.4.1, § 4.2.1 (Determine Identity Repositories) ¶ 2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
Standards / procedures should cover actions to be performed before granting customer access. (CF.05.01.02a, The Standard of Good Practice for Information Security)
Access Control arrangements should supplement passwords (e.g., by using strong authentication, such as smartcards, biometrics, or tokens), when necessary. (CF.06.01.04d, The Standard of Good Practice for Information Security)
Whenever access privileges need to be assigned collectively, this should be documented. (CF.06.01.07-2, The Standard of Good Practice for Information Security)
The processes for authorizing users should be applied to all users. (CF.06.02.01a-3, The Standard of Good Practice for Information Security)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any critical or sensitive business information. (CF.06.04.01-1, The Standard of Good Practice for Information Security)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any business applications. (CF.06.04.01-2, The Standard of Good Practice for Information Security)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any Operating Systems. (CF.06.04.01-3, The Standard of Good Practice for Information Security)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any computing devices. (CF.06.04.01-4, The Standard of Good Practice for Information Security)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any networks. (CF.06.04.01-5, The Standard of Good Practice for Information Security)
There should be a secure process to enable users to authenticate when the token authentication fails (e.g., issuing temporary or One-Time Passwords). (CF.06.05.05, The Standard of Good Practice for Information Security)
There should be a secure process to enable users to authenticate when the biometric authentication fails (e.g., issuing temporary or One-Time Passwords). (CF.06.06.05, The Standard of Good Practice for Information Security)
Individuals should be supported by approved methods of administering users (e.g., adding new business users, updating access privileges, and revoking user access rights). (CF.02.05.06a, The Standard of Good Practice for Information Security)
Identity and Access Management arrangements shall be established to provide enterprise-wide user provisioning and Access Control. (CF.08.02.01, The Standard of Good Practice for Information Security)
Identity and Access Management arrangements should be incorporated into an enterprise-wide solution, and applied to new business applications when they are introduced into the organization. (CF.08.02.02, The Standard of Good Practice for Information Security)
Identity and Access Management arrangements shall keep the number of sign-ons required by users to a minimum. (CF.08.02.03b, The Standard of Good Practice for Information Security)
Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by identity and access management arrangements to enable access privileges to be configured correctly and consistently. (CF.08.08.03b, The Standard of Good Practice for Information Security)
External access to Information Systems and networks should be subject to strong authentication (e.g., challenge / response devices featuring One-Time Passwords, smartcards, tokens, or biometrics). (CF.09.03.08, The Standard of Good Practice for Information Security)
The Digital Rights Management system should protect information in each Digital Rights Management object by restricting access to a specified timeframe (e.g., after a given date or until a particular date). (CF.08.08.07b, The Standard of Good Practice for Information Security)
Network storage systems should be designed and configured to enable authorized users to access multiple systems and resources via single sign-on. (CF.07.04.03d, The Standard of Good Practice for Information Security)
Where federated identity and access management is used, arrangements should be made to ensure it builds upon the organization's existing identity and access management arrangements. (CF.08.02.07a, The Standard of Good Practice for Information Security)
Where federated identity and access management is used, arrangements should be made to ensure it is subject to separate governance, planning, risk assessment, review, and monitoring. (CF.08.02.07b, The Standard of Good Practice for Information Security)
Where federated identity and access management is used, arrangements should be made to ensure it takes into account the needs of federated identity and access management partners (i.e., those organizations to which federated identity and access management connections will be established). (CF.08.02.07c, The Standard of Good Practice for Information Security)
Where federated identity and access management is used, arrangements should be made to ensure it makes use of only agreed federated identity and access management protocols (e.g., Security Assertion Markup Language, openid, ws-trust, and ws-federation). (CF.08.02.07d, The Standard of Good Practice for Information Security)
A process for managing federated identity and access management connections should be established, which covers designing each federated identity and access management connection (e.g., determining how user access rights are managed, agreeing the structure of identifiers and attributes for users and… (CF.08.02.08b, The Standard of Good Practice for Information Security)
A process for managing federated identity and access management connections should be established, which covers implementing each federated identity and access management connection (e.g., configuring agreed settings in federated identity and access management software, updating identity and access … (CF.08.02.08c, The Standard of Good Practice for Information Security)
A process for managing federated identity and access management connections should be established, which covers operating each federated identity and access management connection (e.g., managing users' accounts and access rights, monitoring who has access to business applications, reporting user act… (CF.08.02.08d, The Standard of Good Practice for Information Security)
Standards / procedures should cover actions to be performed before granting customer access. (CF.05.01.02a, The Standard of Good Practice for Information Security, 2013)
Access Control arrangements should supplement passwords (e.g., by using strong authentication, such as smartcards, biometrics, or tokens), when necessary. (CF.06.01.04d, The Standard of Good Practice for Information Security, 2013)
Whenever access privileges need to be assigned collectively, this should be documented. (CF.06.01.07-2, The Standard of Good Practice for Information Security, 2013)
The processes for authorizing users should be applied to all users. (CF.06.02.01a-3, The Standard of Good Practice for Information Security, 2013)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any critical or sensitive business information. (CF.06.04.01-1, The Standard of Good Practice for Information Security, 2013)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any business applications. (CF.06.04.01-2, The Standard of Good Practice for Information Security, 2013)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any Operating Systems. (CF.06.04.01-3, The Standard of Good Practice for Information Security, 2013)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any computing devices. (CF.06.04.01-4, The Standard of Good Practice for Information Security, 2013)
All users should be authenticated by using an identifier (e.g., a UserID) and an authenticator (e.g., a password (sometimes referred to as a passphrase, passcode, and Personal Identification Number code)) before they can gain access to any networks. (CF.06.04.01-5, The Standard of Good Practice for Information Security, 2013)
There should be a secure process to enable users to authenticate when the token authentication fails (e.g., issuing temporary or One-Time Passwords). (CF.06.05.05, The Standard of Good Practice for Information Security, 2013)
There should be a secure process to enable users to authenticate when the biometric authentication fails (e.g., issuing temporary or One-Time Passwords). (CF.06.06.05, The Standard of Good Practice for Information Security, 2013)
Individuals should be supported by approved methods of administering users (e.g., adding new business users, updating access privileges, and revoking user access rights). (CF.02.05.06a, The Standard of Good Practice for Information Security, 2013)
Identity and Access Management arrangements shall be established to provide enterprise-wide user provisioning and Access Control. (CF.08.02.01, The Standard of Good Practice for Information Security, 2013)
Identity and Access Management arrangements should be incorporated into an enterprise-wide solution, and applied to new business applications when they are introduced into the organization. (CF.08.02.02, The Standard of Good Practice for Information Security, 2013)
Identity and Access Management arrangements shall keep the number of sign-ons required by users to a minimum. (CF.08.02.03b, The Standard of Good Practice for Information Security, 2013)
Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by identity and access management arrangements to enable access privileges to be configured correctly and consistently. (CF.08.08.03b, The Standard of Good Practice for Information Security, 2013)
External access to Information Systems and networks should be subject to strong authentication (e.g., challenge / response devices featuring One-Time Passwords, smartcards, tokens, or biometrics). (CF.09.03.08, The Standard of Good Practice for Information Security, 2013)
The Digital Rights Management system should protect information in each Digital Rights Management object by restricting access to a specified timeframe (e.g., after a given date or until a particular date). (CF.08.08.07b, The Standard of Good Practice for Information Security, 2013)
Network storage systems should be designed and configured to enable authorized users to access multiple systems and resources via single sign-on. (CF.07.04.03d, The Standard of Good Practice for Information Security, 2013)
Where federated identity and access management is used, arrangements should be made to ensure it builds upon the organization's existing identity and access management arrangements. (CF.08.02.07a, The Standard of Good Practice for Information Security, 2013)
Where federated identity and access management is used, arrangements should be made to ensure it is subject to separate governance, planning, risk assessment, review, and monitoring. (CF.08.02.07b, The Standard of Good Practice for Information Security, 2013)
Where federated identity and access management is used, arrangements should be made to ensure it takes into account the needs of federated identity and access management partners (i.e., those organizations to which federated identity and access management connections will be established). (CF.08.02.07c, The Standard of Good Practice for Information Security, 2013)
Where federated identity and access management is used, arrangements should be made to ensure it makes use of only agreed federated identity and access management protocols (e.g., Security Assertion Markup Language, openid, ws-trust, and ws-federation). (CF.08.02.07d, The Standard of Good Practice for Information Security, 2013)
A process for managing federated identity and access management connections should be established, which covers designing each federated identity and access management connection (e.g., determining how user access rights are managed, agreeing the structure of identifiers and attributes for users and… (CF.08.02.08b, The Standard of Good Practice for Information Security, 2013)
A process for managing federated identity and access management connections should be established, which covers implementing each federated identity and access management connection (e.g., configuring agreed settings in federated identity and access management software, updating identity and access … (CF.08.02.08c, The Standard of Good Practice for Information Security, 2013)
A process for managing federated identity and access management connections should be established, which covers operating each federated identity and access management connection (e.g., managing users' accounts and access rights, monitoring who has access to business applications, reporting user act… (CF.08.02.08d, The Standard of Good Practice for Information Security, 2013)
Verify that users have a method to remove or export their data on demand. (8.3.2, Application Security Verification Standard 4.0.3, 4.0.3)
The organization should establish and maintain access based on the need to know. (Critical Control 15, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Policies and procedures are established for permissible storage and access of identities used for authentication to ensure identities are only accessible based on rules of least privilege and replication limitation only to users explicitly defined as business necessary. (IAM-08, Cloud Controls Matrix, v3.0)
Policies and procedures shall be established to store and manage identity information about every person who accesses IT infrastructure and to determine their level of access. Policies shall also be developed to control access to network resources based on user identity. (IAM-04, Cloud Controls Matrix, v3.0)
Establish, document, approve, communicate, implement, apply, evaluate and maintain policies and procedures for identity and access management. Review and update the policies and procedures at least annually. (IAM-01, Cloud Controls Matrix, v4.0)
Manage, store, and review the information of system identities, and level of access. (IAM-03, Cloud Controls Matrix, v4.0)
Compensating controls derived from the Risk Analysis shall be implemented prior to provisioning access. (RI-05, The Cloud Security Alliance Controls Matrix, Version 1.3)
Normal authentication protocols should be modified or specific authentication protocols should be activated when counterfeiting detection reaches a defined threshold, in order to target the issues and organize the appropriate actions. (§ 5.4 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
¶ 8.2.1 Identification and Authentication (I&A). An organization should implement safeguards which assure Identification and Authentication. Identification is the means by which a user provides a claimed identity to a system. Authentication is the means of establishing the validity of this claim. T… (¶ 8.2.1, ¶ 9.2 Table Row "I and A Based on Something the User Knows", ¶ 9.2 Table Row "I and A Based on Something the User Possesses", ¶ 9.2 Table Row "I and A Based on Something the User Is", ¶ 10.3.4, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
¶ 13.3.2 Remote Log-in. Remote log-ins, whether from authorized personnel working away from the organization, from remote maintenance engineers, or personnel from other organizations, are accomplished either via dial-ups to the organization, Internet connections, dedicated trunks from other organiz… (¶ 13.3.2, ¶ 13.3.3, ¶ 13.7, ¶ 13.9, ¶ 13.10, ¶ 13.11, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
All available authentication mechanisms should be defined. Examples of controls are "none, biometrics, passwords". The system should state when and how each type of authentication mechanism should be used. The system should have the ability to revoke rights to users, subjects, and objects based on r… (§ 12.4, § 13.4, § G.4, § H.4, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. (A.9.2.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
User access rights should be reviewed at regular intervals. The following guidelines should be used when reviewing user access rights: Access rights should be reviewed at 6 months and after promotion, demotion, or termination and reviewed when users change jobs in the same organization; special priv… (§ 11.2.4, ISO 27002 Code of practice for information security management, 2005)
A formal user registration and de-registration process should be implemented to enable assignment of access rights. (§ 9.2.1 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
Access rights to information and other associated assets should be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control. (§ 5.18 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer. (§ 9.2.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology â Security techniques â Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
Procedures for user registration and de-registration should address the situation where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure). (§ 9.2.1 ¶ 3, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
Procedures for user registration and de-registration should address the situation where user access control is compromised, such as the corruption or compromise of passwords or other user registration data (e.g. as a result of inadvertent disclosure). (§ 9.2.1 ¶ 3, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules and configuration standards for information assets. (CC6.1 ¶ 3 Bullet 7 Restricts Access to Information Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
The access procedures should include how to authorize, register, identify, and authenticate internal personnel. (ID 8.2.2.a, ID 8.2.2.b, AICPA/CICA Privacy Framework)
Procedures exist to restrict logical access to the system, including identifying and authenticating users. (Security Prin. and Criteria Table § 3.2 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict logical access to the system, including identifying and authenticating users. (Availability Prin. and Criteria Table § 3.5 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict logical access to the system, including identifying and authenticating users. (Processing Integrity Prin. and Criteria Table § 3.6 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
Procedures exist to restrict logical access to the system and the confidential information resources maintained on the system, including identifying and authenticating users. (Confidentiality Prin. and Criteria Table § 3.8 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization should restrict logical access to personal information by identifying and authenticating internal personnel and individuals. (Generally Accepted Privacy Principles and Criteria § 8.2.2 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization should not use government-issued identifiers for authentication. (Table Ref 6.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The privacy notice should describe general types of security measures the organization uses to protect personal information, such as using authentication to prevent unauthorized access to electronic personal information. (Table Ref 8.1.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The organization should restrict logical access to personal information by identifying and authenticating internal personnel and individuals. (Table Ref 8.2.2.b, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. (¶ 2.25 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. (CC6.1 Restricts Access to Information Assets, Trust Services Criteria)
Combinations of data classification, separate data structures, port restrictions, access protocol restrictions, user identification, and digital certificates are used to establish access control rules for information assets. (CC6.1 ¶ 2 Bullet 6 Restricts Access to Information Assets, Trust Services Criteria, (includes March 2020 updates))
The organization must implement and monitor the status of identification and authentication controls.
In general, the use of group authenticators precludes the association of a particular act with the individual who initiated that act. In turn, this can preclude assignment of responsibility and can … (§ 15.a, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
The responsible entity shall document and implement a program for managing access to protected critical cyber asset information. (§ R5, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
The responsible entity shall assess and document at least annually the processes for controlling access privileges to protected information. (§ R5.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
On mainframes that transmit scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.18.17, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that process scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.18.17, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On mainframes that store scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.18.17, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that transmit scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.19.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that process scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.19.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On as400 systems that store scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.19.15, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that transmit scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.20.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that process scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.20.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
On open vms (vax or alpha) systems that store scoped data, can a Personal Identification Number or secret question be a stand alone method of authentication? (§ G.20.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
Who is responsible for user entitlement audits? (§ V.1.21, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Is the cloud provider responsible for user entitlement audits? (§ V.1.21.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Is the client responsible for user entitlement audits? (§ V.1.21.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
Internet transfers of eligible export products must employ precautions, such as an access control system that checks every address to ensure the Internet address or domain name is not a foreign government end-user; an access control system that provides each receiving or requesting party a notice st… (§ 734.2(b)(9)(iii), US Export Administration Regulations Database)
For Oracle, the organization must configure the system to use fine grain access control and auditing. (Table F-9, CMS Business Partners Systems Security Manual, Rev. 10)
§ 7 ¶ 1: The organization must use technologies that let users prove who they say they are and encrypt data to avoid inappropriate disclosure or modification, so data can travel over the Internet safely and only be disclosed to authorized parties.
§ 7 (Acceptable Authentication Approaches): The … (§ 7 ¶ 1, § 7 (Acceptable Authentication Approaches), § 7 (Acceptable Identification Approaches), HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
CSR 2.8.1: The organization must implement policies and procedures to grant different access levels to health care information, including rules for granting user access, determining the initial access rights to transactions, programs, terminals, or processes, and determining the types of modificatio… (CSR 2.8.1, CSR 2.9.4, CSR 2.9.5, CSR 2.13.2, CSR 10.3.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The organization must certify that it will not release or otherwise provide access to controlled technology or technical data to foreign workers in the H-1B, H-1B1 (Chile/Singapore), L-1, and O-1A categories until it has received from the U.S. Government the required authorization to do so. (Part 6, Form I-129, Petition for a Nonimmigrant Worker, 11/23/10)
Identification standards should be developed for positively identifying new customers. The bank should have an explicit policy to prohibit significant transactions from individuals who do not provide identification evidence. (Pg 19, Pg 85, Pg 86, Obj 4 (Processes), Obj 5 (Processes), Obj 6 (Processes), Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
Assess the organization's identification requirements for creating new personal and business accounts. Review a sampling of accounts to ensure they comply with the account opening requirements and review the associated account statements to ensure they are consistent with the nature of the customer … (Pg 19, Pg 85, Pg 86, Obj 4 (Processes), Obj 5 (Processes), Obj 6 (Processes), Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
The information assurance officer or security manager must coordinate with the data owner in documenting the access rules for who is authorized to access the system. (§ 3.3 ¶ AC33.015, DISA Access Control STIG, Version 2, Release 3)
The information assurance manager must ensure that hardware tokens are combined with a Personal Identification Number and/or a biometric verification when it is used as an identity credentials for accessing classified assets. (§ 3.4.4 ¶ AC34.160, DISA Access Control STIG, Version 2, Release 3)
The information assurance officer must establish Identification and Authentication procedures for use whenever the biometric system is unavailable. (§ 4.5.1 ¶ BIO6020, DISA Access Control STIG, Version 2, Release 3)
The organization must implement authorization procedures and controls that ensure the authenticated entity has a current and validated authorization. (§ 3.3 ¶ 1, DISA Access Control STIG, Version 2, Release 3)
Remote access users must be authenticated by one of the following methods: RADIUS, TACACS+, CiscoSecure ACS, or SecurID. If the organization wants to use a different method, it must first be approved and documented by the Information Assurance Manager. RADIUS servers may not use NetWare Bindery to a… (§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
Access to portions of the file plan for filing and/or searching and retrieving shall be restricted. (§ C2.2.7.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
The organization must implement a comprehensive account management process to ensure only authorized users gain access to applications, workstations, and networks. (IAAC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Application or network access group authenticators may be used only with an individual authenticator. (IAGA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
All internal unclassified, classified, and sensitive websites must provide open access to general information for all Department of Defense authorized users who have network access. (ECAN-1(1), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
All internal unclassified, classified, and sensitive websites must provide controlled access to information for all Department of Defense authorized users with an individual authenticator. (ECAN-1(2), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
All internal unclassified, classified, and sensitive websites must provide restricted access to need-to-know information for all authorized users with an individual authenticator and a demonstrated or validated need-to-know. (ECAN-1(3), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
All users must be accountable for their actions on the system. (§ 8-105, § 8-607.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
Policies and procedures shall be implemented for ensuring all workforce members have the appropriate access to electronic protected health information and preventing workforce members who do not have access from obtaining it. (§ 164.308(a)(3)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
If necessary, group plan health documents must be corrected to include adequate separation between the plan sponsor and the group health plan. Plan documents must describe employees, classes of employees, or other persons who are to be given access to information that will be disclosed, provided tha… (§ 164.504(f)(2)(iii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Procedures shall be implemented to authorize and/or supervise workforce members who work with electronic protected health information or locations where the information might be accessed. The covered entity shall assess these procedures to determine if it is a reasonable and appropriate safeguard in… (§ 164.308(a)(3)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. (§ 164.308(a)(4)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
(Pg 46, The National Strategy to Secure Cyberspace, February 2003)
A noncriminal justice agency (government) that has been designated to perform criminal justice functions for a criminal justice agency shall be eligible for access to criminal justice information. (§ 5.1.1.4, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Channelers that have been designated to request civil fingerprint-based background checks or noncriminal ancillary functions on behalf of a noncriminal justice agency (public or private) shall be eligible for access to criminal justice information. (§ 5.1.1.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The agency shall manage system accounts by establishing, activating, modifying, reviewing, disabling, and removing accounts. (§ 5.5.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The organization shall verify that cellular devices use advanced authentication methods. (§ 5.5.7.3.1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Advanced authentication shall not be required for users who request access to criminal justice information from inside a physically secure location (section 5.9), when technical security controls are implemented (sections 5.5 and 5.10). (§ 5.6.2.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Advanced authentication shall be required when technical security controls have not been implemented (section 5.5 and 5.10), even if the request for access to criminal justice information comes from inside a physically secure location. (§ 5.6.2.2.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
An agency shall establish an identifier and authenticator management process. (§ 5.6.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The National Incident Management System (NIMS) must develop an authentication and certification standard to ensure that information is properly authenticated and protected. (Chap V.B.2.B(6), National Incident Management System (NIMS), Department of Homeland Security, December 2008)
Identification and authentication are required and managed for access to systems, applications, and hardware. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 6, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
The organization should implement an effective authentication system to protect customer information in order to comply with all applicable requirements. The type of authentication technology used by the organization should be based on the risk assessment. An effective authentication program should … (Pg 2, Pg 3, FFIEC Guidance on Authentication in an Internet Banking Environment)
A process to control privileged access. (App A Objective 6.20.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
A monitoring process to oversee and manage the access rights granted to each user on the system. (App A Objective 6.20.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether management has an effective process to administer logical security access rights for the network, operating systems, applications, databases, and network devices. Review whether management has the following: (App A Objective 6.20, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should have an effective process to administer logical security access rights for the network, operating systems, applications, databases, and network devices, which should include the following:
- Assigning users and devices the access required to perform required functions.
- Updating… (II.C.15 Logical Security, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ⪠A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ⪠Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
Review the assignment of authentication and authorization credentials to determine whether they are based upon primary job responsibilities and whether they also include business continuity planning responsibilities. (Exam Tier I Obj 7.6, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
The organization should ensure the authentication controls are consistent with the security policy. The authentication controls should be evaluated for password length, password expiration, account lockout, and password history requirements. (Pg 34, Obj 4.4, FFIEC IT Examination Handbook - E-Banking, August 2003)
Access to the telecommunications system should follow the organization's policy for identification, authorization, and authentication. (Pg 28, Exam Tier I Obj 8.2, FFIEC IT Examination Handbook - Operations, July 2004)
Determine the frequency and process for management review of logical and physical access privileges and audit trails/logs. (App A Tier 2 Objectives and Procedures N.9 Bullet 3:, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
The organization should implement identification and authentication controls in order to authenticate all access to the payment messaging system and to ensure the authenticity of the payers and the payees. (Pg 17, Pg 31, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
Limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information; (§ 314.4 ¶ 1(c)(1)(ii), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
(AC-3.2(A), Federal Information System Controls Audit Manual (FISCAM), February 2009)
The organization must develop, document, distribute, and continuously update an identification and authentication policy and procedures for the implementation of identification and authentication security controls. (§ 5.6.7, Exhibit 4 IA-1, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Are digital signatures used to authenticate members? (IT - Authentication Q 19, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Is there a policy that documents which employees have administrative privileges for each server? (IT - Servers Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
§ 4.4.3 Bullet 1: Implement policies and procedures that establish, document, review, and modify a user access right to a workstation, transaction, program, or process based upon the access authorization policy.
§ 4.17.1 Bullet 1: Identify person and entity authentication methods that comply with … (§ 4.4.3 Bullet 1, § 4.17.1 Bullet 1, § 4.17.1 Bullet 2,4.17.2 Bullet 1, § 4.17.2 Bullet 2, § 4.17.3 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
§ 4.3 ¶ 2: Cryptographic modules may require authentication mechanisms for authenticating operators accessing the module and verifying that they are authorized.
§ 4.3.3 ¶ 7: For security level 1, the cryptographic module is not required to use authentication mechanisms for access control. If the… (§ 4.3 ¶ 2, § 4.3.3 ¶ 7, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
§ 3.1.1 ¶ 2: The organization shall use an entity authentication implementation to employ an identity-based operator authentication mechanism.
§ 3.1.4: If public key certificates are used for the authentication process, the organization must generate them before the authentication exchange occurs… (§ 3.1.1 ¶ 2, § 3.1.4, FIPS Pub 196, Entity Authentication using Public Key Cryptography)
Calls for Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational informatio… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes (PR.AC-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes (PR.AC-1, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Identities and credentials are managed for authorized devices and users. (PR.AC-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
(§ 3.11, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Organizational records and documents should be examined to ensure identification and authentication policies and procedures exist, are disseminated, reviewed and updated periodically, and specific responsibilities and actions are defined for the implementation of the identification and authenticatio… (IA-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
The organization should implement strong user authentication methods, such as smart cards, two-factor authentication, public key infrastructure, or biometrics. (Table 4-2 Item 21, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
The organization should implement strong user authentication methods, such as smart cards, two-factor authentication, public key infrastructure, biometrics, or a combination of these methods. (§ 6.3.6, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
Manage accounts, network rights, and access to systems and equipment. (T0144, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Design and develop system administration and management functionality for privileged access users. (T0358, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop new techniques for gaining and keeping access to target systems. (T0664, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. (PR.AC-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place. (CT.PO-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. (Identity Management, Authentication, and Access Control (PR.AC-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization must develop and implement a documented Access Control security policy. (SG.AC-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must develop and implement an Identification and Authentication security policy. (SG.IA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must manage user and device authentication credentials by establishing procedures for revoking authentication credentials. (SG.IA-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must not permit users to access the Information System without Identification and Authentication. (App F § AC-14(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must document and justify, in the security plan, any exceptions that permit users to access the Information System without Identification and Authentication. (App F § AC-14(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop information system account management procedures that identifies account types, group membership, authorize users and access privilege, approval for account creation, account life cycle, guest and temporary accounts, deactivation and termination of accounts, system acce… (App F § AC-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must establish and maintain access enforcement policies and procedures to approve authorizations for logical access to the Information System. (App F § AC-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented Identification and Authentication policy that includes the purpose, roles, responsibilities, scope, compliance, management commitment, and coordination among entities. (App F § IA-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures to implement the Identification and Authentication policy and its associated controls. (App F § IA-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System should invalidate session identifiers when a user logs out or a session terminates. (App F § SC-23(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must use compensating controls in accordance with the general tailoring guidance when physical access to the Industrial Control System predefines account privileges or the system cannot support account management. (App I § AC-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support user identification and authentication or the organization determines that user identification and authentication is not advisable due to a significant … (App I § IA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Manage accounts, network rights, and access to systems and equipment. (T0144, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Design and develop system administration and management functionality for privileged access users. (T0358, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. (IA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization identifies and authenticates {organizationally documented information system services} using {organizationally documented security safeguards}. (IA-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. (IA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. (IA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. (IA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties (PR.AA-05, The NIST Cybersecurity Framework, v2.0)
a privileged access management solution; and (§ 500.7 Access Privileges and Management (c)(1), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
