Example of Secure Authentication Procedure

Uncategorized 4 Minutes

Purpose

To define security requirements for user identification and authentication controls required to safeguard access to XXX’s information and information systems.

Scope

This procedure applies to all XXX users who access the organization’s systems, applications, services, and technology resources. All users are responsible for adhering to this policy. If needed or appropriate, information regarding roles, responsibilities, management commitment, and coordination among organizational entities are embedded within these
procedures.

Responsibilities:

Chief Information Security Officer (CISO):

The CISO is responsible for, but not limited to the following activities:

  • Revisions, implementation, workforce education, interpretation, and enforcement of this procedure.
  • Ensuring system passwords are changed whenever there is a security incident that indicates a password compromise.

System/Application Administrators:

System/application administrators are responsible for, but not limited to the following activities:

  • Configuring systems or implementing technical controls that comply with the requirements of this procedure.
  • Maintain a list of commonly used and compromised (or expected of) passwords, and review and updates the list at least every 180 days. Implement a system that checks for and rejects the use of these passwords by users.
  • Configuring the password management system to allow for long passwords and passphrases, including spaces and all printable characters.
  • Configuring the password management system to assist workforce members in selecting strong passwords and authenticators.
  • Ensuring default passwords across all organizational systems are changed.

General Requirements:

Access to covered information will be traceable to an individual using a unique user identification (userID) code. The use of generic, shared, or group userIDs, and passwords, or any other type of access that could lead to actions being performed that would not require individual authentication or identification is prohibited. These requirements apply to ANY user with access to XXX’s information systems including non-organizational user such as customers, clients, and/or contractors. Certain types of user support transactions, like resetting passwords, whether by the Help Desk, system administrator, or self-provisioning tool, will require positive verification of the requestor’s identity. Positive verification can be accomplished through one of the following:

  • In person, face-to-face verification.
  • Responding correctly to “secret” questions that the requestor previously provided the answers to. The questions are used by the Help Desk or a self-provisioning tool to verify the requestor’s identity if face-to-face verification is not possible or feasible. At least two questions will be asked by the Help Desk or the self-provisioning tool before providing the requestor with a temporary password.
  • Cell phone verification: Technology used to send a one-time temporary code to a predefined cell phone number. The code is used to gain access to a screen where the requester is prompted to create a new password. used to send a one-time temporary code to a predefined cell phone number. The code is used to gain access to a screen where the requester is prompted to create a new password.
  • Workforce members are required to send acknowledgement whenever a password is successfully received or reset to confirm the information was sent to the correct user and the account has not been compromised.

Authentication Requirements:

Authentication requirements defined by this procedure will be required in all information technology (e.g., workstations, laptops, mobile devices, servers, routers, etc.) configuration standards. If application specific identification and authentication controls are needed those will be defined in a separate standard. Information technology password configuration requirements are as follows:

  • Passwords will be (8) eight characters in length.
  • Passwords will be comprised of at least three of the following: uppercase alpha character; lowercase alpha character; numeric character; and special character (i.e., !, @, #, $, %, &, *, ?).
  • Passwords will not be the same as a user’s ID/logon.
  • Passwords will not be included in automated log-on processes.

For all initial, first-time, log-on’s or under any circumstance that requires a user to change their password (e.g., account recovery), users will be provided a secure (i.e., not guessable) temporary password to use to login. Upon login, the user will be immediately prompted (i.e., forced) to change the temporary password to something only they know that meets the previously mentioned composition requirements. Temporary/default passwords will:

  • Be one time use only
  • Follow same composition rules as regular passwords

Electronic Signatures:

Electronic signatures used in conjunction with passwords for the purposes of authentication and system access will be protected by ensuring the following:

  • The organization requires that electronic signatures are unique to one individual and cannot be reused by, or reassigned to, anyone else. Workforce members will be held accountable to all actions initiated under their electronic signatures.
  • Identity verification of the individual is required prior to establishing, assigning, or certifying an individual’s electronic signature or any element of such signature.
  • Electronic signatures based upon bio metrics are designed to ensure that they cannot be used by any individual other than their genuine owners.
  • Electronic signatures and handwritten signatures executed to electronic records shall be linked to their respective electronic records.
  • Signed electronic records shall contain information associated with the signing in human readable format.
  • If relevant, ensure that all legal considerations related to the use of electronic signatures are addressed.
  • For any electronic signatures that are not based upon bio metrics, these instances shall employ at least two distinct identification components that can be administered and evaluated for authorized authentication.

Documentation Retention:

Documentation of compliance assessments will be retained for a period of no less than 6 years from the date of the assessment.


Applicability:

All employees, volunteers, trainees, consultants, contractors, and other persons (i.e., workforce) whose conduct, in the performance of work for XXX, is under the direct control of XXX, whether or not they are compensated by XXXX.

Compliance:

Workforce members are required to comply with all information security policies/procedures as a condition of employment/contract with XXX. Workforce members who fail to abide by requirements outlined in information security policies/procedures are subject to disciplinary action up to and including termination of employment/contract.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply