Security Management Strategies for the CIORequires Free Membership to View
Most regulations, including SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require auditing of user accounts, including user IDs and passwords. The main focus is on safe password practices, such as requiring strong passwords and encrypting passwords stored on systems, and auditing who has access to systems. Regulators and auditors require regular reporting on user accounts.
So, even though it isn't illegal to divulge passwords, protecting them is required for compliance and will go a long way toward keeping a company out of legal hot water.
Requirement 8 of the PCI DSS is a good example of a standard for benchmarking protection of passwords on systems. This section calls for each user to have a unique user ID and password. If several users share a password, and that account is compromised by a malicious individual, it would be impossible to track down the offender.
Requirement 8.4 calls for encryption of all passwords both in transit to and storage on systems, but Requirement 8.5 goes into more detail about the type of password policies and restrictions. Most of these are industry best practices for IT security, including password complexity, expiration, length, lockout after failed logins, session expiration and revocation of access for terminated users.
More information:
- Learn more about setting up password expiries in Active Directory to keep passwords secure.
- Read about the tools hackers can use to crack laptop passwords and how to mitigate their effects.
This was first published in July 2008
Join the conversationComment
Share
Comments
Results
Contribute to the conversation