3.5.5 has a weight of -1 points

(Identification and Authentication Family 5/11

Prevent reuse of identifiers for a defined period.

Video:

Example of Sysytem Security Plan (SSP):

    1. Implemented a policy or mechanism to prevent the reuse of identifiers (such as usernames, account numbers, or device identifiers) for a defined period.
    2. Recognized that identifiers are assigned to users, processes acting on behalf of users, or devices within the organization’s systems.
    3. Updated user account management processes and systems to enforce the prevention of identifier reuse. This includes preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.
    4. Defined the duration for which identifiers must remain unused before they can be reassigned to new individuals, groups, roles, or devices. This duration should align with organizational requirements and security considerations.
    5. Integrated identifier reuse prevention mechanisms into user provisioning workflows and account management systems to automatically track and enforce the defined reuse period.
    6. Implemented technical controls or scripting processes to disable or retire identifiers after they have been inactive for the defined reuse period, ensuring that they are not inadvertently assigned to different entities.
    7. Educated users, administrators, and system owners about the importance of preventing identifier reuse and the associated security risks. Emphasized the need to create unique identifiers and adhere to the defined reuse period.
    8. Conducted regular audits or reviews of user accounts, group memberships, and device assignments to identify any instances of potential identifier reuse and take appropriate corrective actions.
    9. Documented the policies, processes, and technical controls related to preventing identifier reuse, including the defined reuse period and associated enforcement mechanisms.
    10. Established monitoring and reporting mechanisms to track and identify any instances of attempted identifier reuse or policy violations, enabling timely remediation.
    11. Conducted periodic reviews and updates of the identifier reuse prevention measures to ensure they remain effective and aligned with organizational requirements, regulatory guidelines, and industry best practices.
    12. Integrated identifier reuse prevention into the overall identity and access management (IAM) framework, ensuring consistency with other IAM controls and processes.

     

     

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions and Milestones (POA&M)

    I. Introduction: This POA&M addresses the need to ensure that identifiers are disabled and managed properly in accordance with IT policy, ensuring that the wrong person doesn’t get a hold of the wrong stuff because of a simple naming convention mistake.

    II. Objective: To implement a robust policy for managing identifiers that will disable identifiers for a period of one year post termination of the account being needed and will allow reuse after verifying that all file system permissions have been removed.

    III. Milestones:

    1. Review Existing Policy:

      • Description: Review existing policies and procedures related to account management and identifier reuse.
      • Target Completion Date: MM/DD/YYYY
      • Responsible Party: IT Security Team

    2. Develop/Update Identifier Management Policy:

      • Description: Develop or update the policy to include disabling identifiers for a year post termination, and verifying file system permissions are removed before reuse.
      • Target Completion Date: MM/DD/YYYY
      • Responsible Party: Policy Development Team

    3. Implement Automated Monitoring and Verification Tools:

      • Description: Implement tools that can automate the process of disabling, tracking, and re-enabling identifiers in accordance with the policy.
      • Target Completion Date: MM/DD/YYYY
      • Responsible Party: IT Operations Team

    4. Training and Awareness:

      • Description: Train relevant staff on the new policy and process to ensure understanding and compliance.
      • Target Completion Date: MM/DD/YYYY
      • Responsible Party: Training and Development Team

    5. Continuous Monitoring and Review:

      • Description: Implement regular reviews and audits to ensure the policy is being adhered to and is effective in preventing unauthorized access.
      • Target Completion Date: Ongoing
      • Responsible Party: Compliance and Audit Team

    IV. Risk Assessment: A failure to implement this policy may result in unauthorized access to sensitive data, posing a significant risk to data integrity and compliance with regulatory requirements.

    RELEVANT INFORMATION:

    Identifiers are provided for users, processes acting on behalf of users, or devices (3.5.1). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.

     



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.