Back

Include guidance on selecting authentication credentials in the access control program.


CONTROL ID
11928
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Not select such a password that could be easily guessed (P26.1. ¶ 1(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When changing a password, set and manage it appropriately with consideration for the items under (1)-(5) above. (P26.1. ¶ 1(6), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For an application from a customer for issuance of card, the customer should be encouraged to select a proper personal identification number that is hard for any other person to guess. In the selection of personal identification number, proper precautions should be implemented not to accept the use … (P107.10., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Access controls including standards relating to passwords and other authentication requirements (Critical components of information security 9) ¶ 2 c), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Encourage users not to use passwords that can be easily deduced, such as their birth date or name. (Annex A2: Authentication 2, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Discourage users from using the same password across different systems or applications. (Annex A2: Authentication 4, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review authentication policies and procedures that are distributed to users and verify they include: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials. - Instructions for users not to reuse previously used passwords - I… (8.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Guidance on selecting strong authentication factors. (8.3.8 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Guidance on selecting strong authentication factors. (8.3.8 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance on selecting strong authentication factors. (8.3.8 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance on selecting strong authentication factors. (8.3.8 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance on selecting strong authentication factors. (8.3.8 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Assess the adequacy of customer PIN selection criteria, focusing on whether the institution discourages or prevents customers from using common words, social security numbers, sequences of numbers, or words or numbers that can easily identify the customer. (App A Tier 2 Objectives and Procedures B.10, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1(g), FedRAMP Security Controls High Baseline, Version 5)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1(g), FedRAMP Security Controls Low Baseline, Version 5)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1(g), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (an… (5.1.1.2 ¶ 7, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • CSPs SHOULD, where practical, accommodate the use of subscriber-provided authenticators in order to relieve the burden to the subscriber of managing a large number of authenticators. Binding of these authenticators SHALL be done as described in Section 6.1.2.1. In situations where the authenticator … (6.1.3 ¶ 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • The cardholder SHALL be guided in selecting a strong PIN value. The PIN SHALL be a minimum of six digits in length and SHOULD NOT be easily guessable, individually identifiable (e.g., part of a Social Security Number or phone number), or commonly used (e.g., 000000, 123456). (4.3.1 ¶ 2, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1(g), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ automated tools to assist the user in selecting strong password authenticators; and (IA-5(1) ¶ 1(g), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Be required to log onto or access an Internet web site, unless used in combination with a password or other authentication device; (§ 47-18-2110(a)(3), Tennessee Code, Title 47, Chapter 1,8 Part 21, Identity Theft Deterrence, Sections 47-18-2101 thru 47-18-2110)