Disseminate and communicate user identifiers and authenticators using secure communication protocols., CC ID: 06791
Include instructions to refrain from using previously used authenticators in the access control program., CC ID: 11930
Disallow the use of Personal Identification Numbers as user identifiers., CC ID: 06785
Define the activation requirements for identification cards or badges., CC ID: 06583
Require multiple forms of personal identification prior to issuing user identifiers., CC ID: 08712
Authenticate user identities before unlocking an account., CC ID: 11837
Authenticate user identities before manually resetting an authenticator., CC ID: 04567
Require proper authentication for user identifiers., CC ID: 11785
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Provide personal identification functions. (P42.3. ¶ 2(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Users are authenticated before they are granted access to a system and its resources. (Security Control: 1546; Revision: 0, Australian Government Information Security Manual, March 2021)
The organization must implement security measures to ensure the identification of foreign nationals, including seconded foreign nationals, when the systems contain Australian Eyes Only, Australian Government Access Only, or other nationality releasability marked information. (Control: 0420, Australian Government Information Security Manual: Controls)
The organization should ensure the identification of foreign nationals and seconded foreign nationals includes the specific nationalities, if security measures are implemented for ensuring their identification. (Control: 0975, Australian Government Information Security Manual: Controls)
identification â determination of who or what is requesting access; (Attachment C 3(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
Securing the authorisation and authentication of users of the cloud provider (usually privileged user) and the cloud customer in order to prevent unauthorised access. (Section 5.7 Objective, Cloud Computing Compliance Controls Catalogue (C5))
The confidentiality of the login information of internal and external users under the cloud provider's responsibility is protected by the following safeguards: (Section 5.7 IDM-08 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
The organization must implement suitable Identification and Authentication controls for managing the risk of unauthorized access, enabling auditing, and using correct management of user accounts for all systems. (Mandatory Requirement 38, HMG Security Policy Framework, Version 6.0 May 2011)
The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. (B2. ¶ 1, NCSC CAF guidance, 3.1)
You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function. (B2.a ¶ 1, NCSC CAF guidance, 3.1)
The entity has established policies and procedures and technical specifications and requirements for the configuration and credentialing of users and systems prior to granting logical access to information and data about internally and externally managed infrastructure-based platforms, devices and s… (S7.1 Manages credentials for infrastructure and software, Privacy Management Framework, Updated March 1, 2020)
Identity management should exist in all organizations. It includes establishing an identity and access management (IAM) strategy; administering statement changes in the IAM policy; establishing identity and password parameters; managing the manual or automated IAM systems and processes; and periodic… (§ 3 ¶ 3, § 3.1.1, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
There should be a sign-on process that users need to follow before they are provided with access to Information Systems, which should enable individual users to be identified (e.g., using unique userids). (CF.06.07.01, The Standard of Good Practice for Information Security)
There should be a sign-on process that users need to follow before they are provided with access to Information Systems, which should enable individual users to be identified (e.g., using unique userids). (CF.06.07.01, The Standard of Good Practice for Information Security, 2013)
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems. (Control 1.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The system should implement network level authentication to limit and control the devices that can connect to the network. (Critical Control 1.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management and in accordance with established policies and procedures:
- Identity trust verification and service-to-service application (… (IAM-12, Cloud Controls Matrix, v3.0)
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. (CIS Control 1: Sub-Control 1.7 Deploy Port Level Access Control, CIS Controls, 7.1)
Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network. (CIS Control 1: Sub-Control 1.7 Deploy Port Level Access Control, CIS Controls, V7)
support the use of initial authenticator content; (5.7.1 ¶ 1 (a), Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
All entities should be identified and authenticated for all access to the control system. Authentication of the identity of such entities should be accomplished by using methods such as passwords, tokens or location (physical or logical). This requirement should be applied to both local and remote a… (5.4.2 ¶ 2, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
The information assurance officer must use multifactor authentication to authenticate identity credentials before allowing access to Information Systems that process sensitive information. (§ 3.2 ¶ AC32.010, DISA Access Control STIG, Version 2, Release 3)
Verify against a unique identifier(s) (e.g., username or number) that a user seeking access to electronic health information is the one claimed; and (§ 170.315 (d) (1) (i), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
Verify against a unique identifier(s) (e.g., username or number) that a user seeking access to electronic health information is the one claimed; and (§ 170.315 (d) (1) (i), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
The organization should use customer verification techniques during account origination to improve the authentication process. (Pg 13, FFIEC Guidance on Authentication in an Internet Banking Environment)
Maintains a policy and implements related standards and procedures to identify users and restrict their access. (App A Objective 14:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Assess the adequacy of the PIN generation process. Ensure there is separation of duties between staff responsible for PIN generation and staff responsible for opening accounts or with access to customer account information. (App A Tier 2 Objectives and Procedures B.2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Electronic signatures shall be unique and cannot be reused or reassigned to another person. The identity of an individual shall be verified before an organization establishes, assigns, certifies, or sanctions an electronic signature or any element of it. Prior to or at the time of using an electroni… (§ 11.100, 21 CFR Part 11, Electronic Records; Electronic Signatures)
The entity must identify and control all access paths and manage all users. (AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009)
When a user uses a token based authentication system, he/she should be required to enter a password or PIN when the token is used for authentication. One user's token being compromised should not compromise the entire system, just that user. (§ 4.5, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
A credential is issued to an individual only after a proper authority has authorized issuance of the credential, the individualâs identity has been verified, and the individual has been vetted per Section 2.2. (2.1 ¶ 2 Bullet 1, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
For User Authentication, the direct use of challenge/response authentication may not be feasible for control system due to the possible latency that may be introduced in the necessary fast dynamics required for access to a control system or industrial network. For Network Service Authentication, the… (§ 6.2.7.2 ICS-specific Recommendations and Guidance ¶ 1, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization should require individuals to be authenticated individually before using a group authenticator. (App F § IA-2(5)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. (IA-2(5), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system provides a single sign-on capability for {organizationally documented list of information system accounts}. (IA-2(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system provides a single sign-on capability for {organizationally documented services}. (IA-2(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system dynamically provisions identities. (IA-5(10), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system dynamically provisions identities. (IA-5(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
