IAM-15: Passwords Management

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures for the secure management of passwords.

Implementation Guidance

The organization should adopt the following guidelines for the secure management of passwords:

  • Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a network system.
  • All non-console administrative access should be encrypted using strong cryptography.
  • Using strong cryptography, all authentication credentials (such as passwords or phrases) should be rendered unreadable during transmission and storage on all system components.
  • Verify user identity before modifying any authentication credential (i.e., performing password resets, provisioning new tokens, or generating new keys).
  • Passwords/passphrases should meet the criteria of industry best practices.
  • Alternatively, the password/passphrases should have complexity and strength at least equivalent to the parameters specified above.
  • Change user passwords/passphrases per the organization password standard.
  • Limit password reuse per the organization password standard.
  • Set passwords/passphrases for first-time use and upon reset to a unique value for each user and change immediately after the first use.

Document and communicate authentication policies and procedures to all users, including the following concepts:

  1. Guidance on selecting strong authentication credentials.
  2. Guidance for how users should protect their authentication credentials.
  3. Generic user IDs are disabled or removed.
  4. Shared user IDs do not exist for system administration and other critical functions.
  5. Shared and generic user IDs are not used to administer any system components.

Guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess passwords that don’t contain:

  1. Dictionary words
  2. Information about the user (such as the user ID)
  3. Names of family members, date of birth, etc.

Guidance for protecting authentication credentials may include not writing down passwords or saving them in insecure files and being alert for malicious individuals who may attempt to exploit their passwords (see NIST 800:53 password controls for details).

Auditing Guidance

  1. Determine if processes, procedures and technical measures for the secure management of passwords are defined.
  2. Determine if processes, procedures and technical measures for the secure management of passwords are implemented and consistently followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.