Back

Include guidance for how users should protect their authentication credentials in the access control program.


CONTROL ID
11929
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • To avoid compromising passwords, take proper precautions such as encouraging the users to pay attention to the following items, in accordance with the content of services used and the properties of related risks. (P26.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • When changing a password, set and manage it appropriately with consideration for the items under (1)-(5) above. (P26.1. ¶ 1(6), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For an application from a customer for issuance of card, the customer should be encouraged to select a proper personal identification number that is hard for any other person to guess. In the selection of personal identification number, proper precautions should be implemented not to accept the use … (P107.10., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary for users themselves to be able to check that their user ID is not being used illegally. (P113.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to raise customers' awareness about proper methods of managing cards and personal identification numbers. It is also necessary to make every customer fully aware of necessary countermeasures put in place based on the latest crime case. (P108.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To raise security awareness, banks should sensitize customers on the need to protect their PINs, security tokens, personal details and other confidential data. (Critical components of information security 31) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Credentials are stored separately from systems to which they grant access. (Security Control: 0418; Revision: 4, Australian Government Information Security Manual, March 2021)
  • decommission any credentials that left their possession during their travel (Control: ISM-1300; Revision: 6; Bullet 2, Australian Government Information Security Manual, June 2023)
  • reset credentials used with mobile devices, including those used for remote access to their organisation's systems (Control: ISM-1556; Revision: 2; Bullet 1, Australian Government Information Security Manual, June 2023)
  • decommission any credentials that left their possession during their travel (Control: ISM-1300; Revision: 6; Bullet 2, Australian Government Information Security Manual, September 2023)
  • reset credentials used with mobile devices, including those used for remote access to their organisation's systems (Control: ISM-1556; Revision: 2; Bullet 1, Australian Government Information Security Manual, September 2023)
  • procedures for ensuring that under no circumstances would a customer be asked to reveal sensitive customer information used for the purposes of authentication, such as passwords/PINS; (Attachment E ¶ 3(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • access controls including standards relating to passwords and other authentication requirements; (¶ 34(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Where and how they may record passwords to store and retrieve them securely. (Access control Question 32(d), Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review authentication policies and procedures that are distributed to users and verify they include: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials. - Instructions for users not to reuse previously used passwords - I… (8.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Guidance for how users should protect their authentication factors. (8.3.8 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation), then guidance is provided to customer users including: (8.3.10, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, examine guidance provided to customer users to verify that the guidance includes all elements specified in this require… (8.3.10, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Guidance for how users should protect their authentication factors. (8.3.8 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance for how users should protect their authentication factors. (8.3.8 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance for how users should protect their authentication factors. (8.3.8 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance for how users should protect their authentication factors. (8.3.8 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation), then guidance is provided to customer users including: (8.3.10, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Prevent Compromise of Credentials (4, Swift Customer Security Controls Framework (CSCF), v2019)
  • Protect physically and logically recorded passwords. (5.4 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information. (§ 5.17 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • In addition to an identifier (see 5.6) an authenticator is required to prove identity. Control system authenticators include, but are not limited to, tokens, symmetric keys, private keys (part of a public/private key pair), biometrics, passwords, physical keys and key cards. There should be security… (5.7.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Implemented CJIS Security Policy compliant standard authenticator protection on the secure location where CJI is stored (§ 5.13.7.2.1 ¶ 4 Bullet 3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Password usage and management—including creation, frequency of changes, and protection. (§ 5.2.1.3 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Information system authenticators include, for example, tokens, user-based PKI certificates, biometrics, passwords, and key cards. Users shall take reasonable measures to safeguard authenticators including maintaining possession of their individual authenticators, not loaning or sharing authenticato… (§ 5.6.3.2 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • For employees, board members, and other users accessing a financial institution's information systems, education can include training and testing programs on authentication-related scenarios such as phishing and social engineering. (Section 10 ¶ 3, Authentication and Access to Financial Institution Services and Systems)
  • Threat actors frequently have used social engineering and other techniques to deceive customer call center and IT help desk representatives into resetting passwords and other credentials, thereby granting threat actors access to information systems, user and customer accounts, or confidential inform… (Section 8 ¶ 1, Authentication and Access to Financial Institution Services and Systems)
  • Access codes used by the authentication process are protected properly and changed with reasonable frequency; (TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Provide meaningful notice to subscribers regarding the security risks of the RESTRICTED authenticator and availability of alternative(s) that are not RESTRICTED. (5.2.10 ¶ 4 2., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • An issued credential is not modified by an unauthorized entity. (2.1 ¶ 2 Bullet 12, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)