Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually.
Organizations should establish a clear policy on strong password usage for different technical areas. Organizations should also have a monitoring mechanism to evaluate the effectiveness of policy implementation. The policy should be reviewed periodically (at least annually) based on business requirements. In addition, the policy should clearly describe its applicability and scope, and management should promote effective communication to ensure effective implementation within the organization. Organizations should also have policies and procedures for all personnel (employees, vendors, or other third parties) who have access to organizational data. Additionally, control-testing strategies should be employed to test these policies and be maintained regularly.
- Examine policy and/or procedures related to passwords to determine if minimum password complexity requirements are defined.
- Determine if the organization enforces minimum password complexity requirements as defined in policy.
- Examine policy and procedures for evidence of review at least annually.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.