IAM-02: Strong Password Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, IAM-02: Credential Lifecycle / Provision Management, IAM-12: User ID Credentials.

Control Statement

Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.

Implementation Guidance

Organizations should establish a clear policy on strong password usage for different technical areas. Organizations should also have a monitoring mechanism to evaluate the effectiveness of policy implementation. The policy should be reviewed periodically (at least annually) based on business requirements. In addition, the policy should clearly describe its applicability and scope, and management should promote effective communication to ensure effective implementation within the organization. Organizations should also have policies and procedures for all personnel (employees, vendors, or other third parties) who have access to organizational data. Additionally, control-testing strategies should be employed to test these policies and be maintained regularly.

Auditing Guidance

  1. Examine policy and/or procedures related to passwords to determine if minimum password complexity requirements are defined.
  2. Determine if the organization enforces minimum password complexity requirements as defined in policy.
  3. Examine policy and procedures for evidence of review at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.