3.5.7 has a weight of -1 points
(Identification and Authentication Family) 7/11
Enforce a minimum password complexity and change of characters when new passwords are created.
Video:
Example of Sysytem Security Plan (SSP):
1. Overview:
This document outlines the policy, controls, and audit procedures for managing password complexity within our organization. This is essential for safeguarding information integrity and is implemented in alignment with the compliance standard.
2. Scope:
The policy applies to all organizational units within the company and covers all user accounts that require password authentication.
3. Policy Statement:
3.1 Password Complexity:
- Minimum Length: Passwords must be at least 12 characters in length.
- Complexity Requirements: Passwords must meet complexity requirements, including the use of upper and lowercase letters, numbers, and special characters.
32 Group Policy:
- Application: Group policy will enforce these requirements and be applied to all organizational units.
- Enforcement: This policy ensures that all systems are configured with the necessary settings, in line with our compliance requirements.
4. Auditing:
- Annual Audits: This policy will be audited yearly to ensure that the controls are effective and aligned with the compliance standard.
- Audit Records: All audit records, including findings and corrective actions, will be properly documented and retained as per the organization’s retention policy.
5. Responsibilities:
- IT Security Team: Responsible for implementing, maintaining, and auditing the policy.
- Employees: Responsible for complying with the policy and reporting any inconsistencies or breaches.
- Management: Responsible for the overall oversight and support of this policy’s implementation.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M): Password Complexity & Group Policy Management
1. Introduction:
This POA&M is developed to address the continuous improvement, monitoring, and remediation of the password complexity and group policy within the organization. It ensures alignment with the outlined policy, controls, and audit procedures.
2. Scope:
Same as the scope mentioned in the SSP, it applies to all organizational units and user accounts requiring password authentication.
3. Identified Weaknesses:
(Note: You may detail any known weaknesses or vulnerabilities identified in audits or assessments. For this example, we’ll assume some general issues)
- Weak Passwords in Legacy Systems
- Inconsistent Group Policy Implementation Across Different Units
- Lack of Training Among Employees on Password Best Practices
4. Plan of Action:
4.1 Weak Passwords in Legacy Systems:
- Action: Implement a system-wide password reset enforcing the new complexity requirements.
- Responsible Party: IT Security Team
- Target Completion Date: (Specific Date)
- Resources Required: (Details)
- Status: (Open/Closed)
4.2 Inconsistent Group Policy Implementation Across Different Units:
- Action: Conduct a comprehensive review and update the group policy where needed.
- Responsible Party: IT Security Team
- Target Completion Date: (Specific Date)
- Resources Required: (Details)
- Status: (Open/Closed)
4.3 Lack of Training Among Employees on Password Best Practices:
- Action: Develop and deliver training to all employees.
- Responsible Party: Management & HR
- Target Completion Date: (Specific Date)
- Resources Required: (Details)
- Status: (Open/Closed)
5. Monitoring & Auditing:
- Monitoring: Continuous monitoring of the plan implementation.
- Annual Audits: Yearly audits to ensure the controls are effective, as per the policy.
- Audit Records: Maintenance of all audit records as required.
Helpful Links:
Microsoft Azure Password Policy Setup Instructions:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/password-policy
RELEVANT INFORMATION:
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.