Back

Include instructions to change authenticators as often as necessary in the access control program.


CONTROL ID
11931
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access control program., CC ID: 11702

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should put in place adequate controls related to the strength of the password including a Personal Identification Number (PIN) (e.g. certain password requirements that can increase the difficulty of a successful brute-force attack). Effective measures should be implemented to counter automated b… (§ 4.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Extra care should be exercised when controlling the use of and access to privileged and emergency IDs. The necessary control procedures include: - granting of authorities that are strictly necessary to privileged and emergency IDs; - formal approval by appropriate personnel prior to being released … (3.2.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Periodic reminders for those clients who have not changed their passwords for a long period; (1.6. ¶ 1 (b), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • For any customers using easy-to-guess personal identification numbers, proper functions should be provided to alert the customers individually through ATMs to change the improper personal identification numbers. (P1.4. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Promptly change the password if it has been leaked. (P26.1. ¶ 1(5), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To any customer that has selected personal identification numbers that are easy for anyone to guess, proper instructions to change this number should be provided individually. (P108.5. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to explicitly inform customers how they can securely and easily change their personal identification numbers by themselves. (P107.9. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Users are required to change their passwords regularly. The frequency should be based on the risk of damage to the individual if the data is compromised. (Annex A1: Authentication and Passwords 23, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • they are discovered stored in the clear on a network (Security Control: 1590; Revision: 0; Bullet 4, Australian Government Information Security Manual, March 2021)
  • they are discovered being transferred in the clear across a network (Security Control: 1590; Revision: 0; Bullet 5, Australian Government Information Security Manual, March 2021)
  • they appear in online data breach databases (Security Control: 1590; Revision: 0; Bullet 3, Australian Government Information Security Manual, March 2021)
  • they have not been changed in the past 12 months. (Security Control: 1590; Revision: 0; Bullet 7, Australian Government Information Security Manual, March 2021)
  • they are suspected of being compromised (Security Control: 1590; Revision: 0; Bullet 2, Australian Government Information Security Manual, March 2021)
  • Do you have a documented password policy that includes a process for when you believe the passwords or accounts have been compromised? (A7.13., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Do you change the firewall password when you know or suspect it has been compromised? (A4.4., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Describe the process in place for changing passwords when you believe they have been compromised. (A5.6., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Where a user can authenticate against a device, the device shall provide to the user or an administrator a simple mechanism to change the authentication value used. (Provision 5.1-4, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Document and communicate authentication policies and procedures to all users including: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions to change pa… (8.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change. (8.2.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For service providers only: Are non-consumer customer passwords required to be changed periodically, and are non-consumer customers given guidance as to when, and under what circumstances, passwords must change. (8.2.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Do authentication policies and procedures include the following? - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials - Instructions not to reuse previously used passwords - Instructions that users should change passwords … (8.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review authentication policies and procedures that are distributed to users and verify they include: - Guidance on selecting strong authentication credentials - Guidance for how users should protect their authentication credentials. - Instructions for users not to reuse previously used passwords - I… (8.4.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident. (8.3.8 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Guidance for customers to change their user passwords/passphrases periodically. (8.3.10 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Guidance as to when, and under what circumstances, passwords/passphrases are to be changed. (8.3.10 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident. (8.3.8 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident. (8.3.8 Bullet 4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident. (8.3.8 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance as to when, and under what circumstances, passwords/passphrases are to be changed. (8.3.10 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Guidance for customers to change their user passwords/passphrases periodically. (8.3.10 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrases have been compromised and how to report the incident. (8.3.8 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Change/refresh authenticators periodically. (§ 5.6.3.2 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Ensure that all APs have strong administrative passwords and ensure that all passwords are changed in accordance with Section 5.6.2.1. (§ 5.13.1.1 ¶ 2(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Evaluate the security procedures for periodic password changes, the encryption of password files, password suppression on terminals, and automatic shutdown of terminals not in use. (App A Tier 2 Objectives and Procedures C.3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Develop a migration plan for the possibility that the RESTRICTED authenticator is no longer acceptable at some point in the future and include this migration plan in its digital identity acceptance statement. (5.2.10 ¶ 4 4., Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
  • Cardholders MAY change their PINs at any time by providing the current PIN and the new PIN values, as specified in [SP 800-73]. (2.9.3 ¶ 3, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secure and be changed frequently. Authority to change master passwords should be limited to trusted employees. A password audit record… (§ 6.2.7.1 ICS-specific Recommendations and Guidance ¶ 5 Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)