ISO 27001 But only PCI DSS specifies a minimum password length. Are there any other regulations that dictate password lengths for any industry? NIST documents talk about the impacts of certain lengths and complexities NIST SP 800-63b now provides guidance on password length. New password guidelines from the US federal government via NIST. Some Alvaka Networks clients—particularly those with defense department related contracts—are obligated to comply with NIST 800-171 Standards by December 31, 2017, or they risk losing their contracts. NIST 800-171 is specified by DFARS 252.204-7012.
Active6 months ago
I have read:
- PCI DSS 1.2
- SOX 404
- AR 25-2
- ISO 27001
But only PCI DSS specifies a minimum password length.
Are there any other regulations that dictate password lengths for any industry?
NIST documents talk about the impacts of certain lengths and complexities [NIST SP 800-63b now provides guidance on password length]. OWASP, SANS, and others give their opinions on password minimums, but they couldn't be considered official.
Not looking for recommendations or impacts of various lengths, but actual regulations that require a certain length. For the purposes of this question, it doesn't even matter if the regulations are good or not, just some regulatory body saying that passwords must be at least a certain length.
schroeder
schroeder♦schroeder87.1k3535 gold badges195195 silver badges234234 bronze badges
6 Answers
I believe the National Institute of Standards and Technology (NIST) publishes the United States Government Configuration Baseline (USGCB, formerly known as Federal Desktop Core Configuration or FDCC) checklists, which specify the password complexity, lifetime, and history requirements for U.S. federal organizations. Also, the Center for Internet Security (CIS) publishes Benchmarks for various platforms, which include similar recommendations.
Between the two, the highest mark is:
- 12 characters minimum.
- At least three character types.
- Expiration in 60 days.
- Minimum lifetime of 1 day.
- No reuse within 24 passwords.
- Some OS-specific additional requirements may be applied.
Those settings are applied at the OS level. I'm not sure if either organization has similar specifications specifically targeting applications or websites, but most organizations which are subject to these will probably just use the same requirements as they do in the OS.
A Google search for any of the above terms should turn up a wealth of information. (I may add links here myself later, or anyone else is free to edit them in.)
schroeder♦87.1k3535 gold badges195195 silver badges234234 bronze badges
IsziIszi21.9k1616 gold badges9090 silver badges159159 bronze badges
To be honest the 'official documentation' for all of these standards is incomplete, and as a CISSP in the industry it's really annoying.
How I look at it is that no one is going to approve you if you have known vulnerabilities in your software, period. The authority for this is the Community Emergency Response Teams (CERT), and CERTs issue CVE numbers for vulnerabilities. All CERTs use the Common Weakness Enumeration system to classify vulnerabilities in software.
There is CWE-521 - Weak Password Requirements which lists the following:
- Minimum and maximum length;
- Require mixed character sets (alpha, numeric, special, mixed case);
- Do not contain user name;
- Expiration;
- No password reuse.
It should be noted that the CWE system is a tree, and the parent of CWE-521 is CWE-255 credentials management.
AndrolGenhald14.3k55 gold badges3939 silver badges4545 bronze badges
rookrook42.2k1010 gold badges8585 silver badges173173 bronze badges
Since you are looking for ANY regulatory body, whether applicable to you or not, Department of Defense Instruction 8500.2, Information Assurance Implementation states:
For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive, 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created.
schroeder♦87.1k3535 gold badges195195 silver badges234234 bronze badges
PurgePurge1,57611 gold badge1212 silver badges2626 bronze badges
NIST SP 800-63b [in draft] now provides detailed guidance for passwords at different levels of authentication levels.
A Memorized Secret (a.k.a 'password') SHALL be at least 8 characters in length if chosen by the subscriber; memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric.
schroeder♦schroeder87.1k3535 gold badges195195 silver badges234234 bronze badges
Most of the federal regulations are ambiguous on purpose. They say you have to be secure but don't give you specific instructions on how. PCI-DSS is a Contract that you have to sign in order to do business using Credit Cards. Because of things like the Fair Credit Reporting Act that puts the burden of stolen credit card transactions on the Credit Card companies, you bet your butt they are going to be very specific and measurable.
To answer your question directly, no, I am not aware of any other regulation or contract that specifies measurable security controls other then PCI-DSS. Most of the answers listed are things that you/your company can prescribe to but not they are not required. PCI-DSS, HIPAA, SOX, GLBA are required depending on whether you are dealing with Credit Card, Health Info, Publicly Traded or Financial. There may be some Statutory or International laws that you would have to consider and those can be very specific and/or very confusing. Especially in Canada when you try to figure out if you have to enforce privacy controls based on National, Provincial regulation or some Ministry via contract.
TildalWave10.1k88 gold badges4141 silver badges8080 bronze badges
user2093071user2093071
The best regulation I've seen in regards to password complexity is in the CIS guidelines which are referred to by other regulations. But even they say 'The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies.' An example from here https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf
6.3.2 Set Password Creation Requirement Parameters Using pam_pwquality (Scored)
Profile Applicability:
Iso 27001 Password Standards
- Level 1
Description: The pam_pwquality module checks of the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.
- try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
- retry=3 - Allow 3 tries before sending back a failure.
The following options are set in the /etc/security/pwquality.conf file:
- minlen=14 - password must be 14 characters or more
- dcredit=-1 - provide at least 1 digit
- ucredit=-1 - provide at least one uppercase character
- ocredit=-1 - provide at least one special character
- lcredit=-1 - provide at least one lowercase character
etherealsolidetherealsolid
Not the answer you're looking for? Browse other questions tagged passwordspassword-policyregulation or ask your own question.
ISO/IEC 27002 is an information securitystandard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information technology – Security techniques – Code of practice for information security controls.
The ISO/IEC 27000-series standards are descended from a corporate security standard donated by Shell to a UK government initiative in the early 1990s.[1] The Shell standard was developed into British Standard BS 7799 in the mid-1990s, and was adopted as ISO/IEC 17799 in 2000. The ISO/IEC standard was revised in 2005, and renumbered ISO/IEC 27002 in 2007 to align with the other ISO/IEC 27000-series standards. It was revised again in 2013.
ISO/IEC 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the CIA triad:
- the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).[2]
- 1Outline
- 2Implementation example of ISO/IEC 27002
Outline[edit]
Outline for ISO/IEC 27002:2013[edit]
The standard starts with 5 introductory chapters:
- Introduction
- Scope
- Normative references
- Terms and definitions
- Structure of this standard
These are followed by 14 main chapters:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical and environmental security
- Operation Security- procedures and responsibilities, Protection from malware, Backup, Logging and monitoring, Control of operational software, Technical vulnerability management and Information systems audit coordination
- Communication security - Network security management and Information transfer
- System acquisition, development and maintenance - Security requirements of information systems, Security in development and support processes and Test data
- Supplier relationships - Information security in supplier relationships and Supplier service delivery management
- Information security incident management - Management of information security incidents and improvements
- Information security aspects of business continuity management - Information security continuity and Redundancies
- Compliance - Compliance with legal and contractual requirements and Information security reviews
Within each chapter, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided.
Specific controls are not mandated since:
- Each organization is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005. The use of information security risk analysis to drive the selection and implementation of information security controls is an important feature of the ISO/IEC 27000-series standards: it means that the generic good practice advice in this standard gets tailored to the specific context of each user organization, rather than being applied by rote. Not all of the 39 control objectives are necessarily relevant to every organization for instance, hence entire categories of control may not be deemed necessary. The standards are also open ended in the sense that the information security controls are 'suggested', leaving the door open for users to adopt alternative controls if they wish, just so long as the key control objectives relating to the mitigation of information security risks, are satisfied. This helps keep the standard relevant despite the evolving nature of information security threats, vulnerabilities and impacts, and trends in the use of certain information security controls.
- It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for ISO/IEC 27001:2013 and ISO/IEC 27002 offer advice tailored to organizations in the telecomms industry (see ISO/IEC 27011) and healthcare (see ISO 27799).
Most organizations implement a wide range of information security-related controls, many of which are recommended in general terms by ISO/IEC 27002. Structuring the information security controls infrastructure in accordance with ISO/IEC 27002 may be advantageous since it:
- Is associated with a well-respected international standard
- Helps avoid coverage gaps and overlaps
- Is likely to be recognized by those who are familiar with the ISO/IEC standard
Implementation example of ISO/IEC 27002[edit]
Here are a few examples of typical information security policies and other controls relating to three parts of ISO/IEC 27002. (Note: this is merely an illustration. The list of example controls is incomplete and not universally applicable.)
Physical and Environmental security[edit]
- Physical access to premises and support infrastructure (communications, power, air conditioning etc.) must be monitored and restricted to prevent, detect and minimize the effects of unauthorized and inappropriate access, tampering, vandalism, criminal damage, theft etc.
- The list of people authorized to access secure areas must be reviewed and approved periodically (at least once a year) by Administration or Physical Security Department, and cross-checked by their departmental managers.
- Photography or video recording is forbidden inside Restricted Areas without prior permission from the designated authority.
- Suitable video surveillance cameras must be located at all entrances and exits to the premises and other strategic points such as Restricted Areas, recorded and stored for at least one month, and monitored around the clock by trained personnel.
- Access cards permitting time-limited access to general and/or specific areas may be provided to trainees, vendors, consultants, third parties and other personnel who have been identified, authenticated, and authorized to access those areas.
- Other than in public areas such as the reception foyer, and private areas such as rest rooms, visitors should be escorted at all times by an employee while on the premises.
- The date and time of entry and departure of visitors along with the purpose of visits must be recorded in a register maintained and controlled by Site Security or Reception.
- Everyone on site (employees and visitors) must wear and display their valid, issued pass at all times, and must present their pass for inspection on request by a manager, security guard or concerned employee.
- Access control systems must themselves be adequately secured against unauthorized/inappropriate access and other compromises.
- Fire/evacuation drills must be conducted periodically (at least once a year).
- Smoking is forbidden inside the premises other than in designated Smoking Zones.
Human Resource security[edit]
- All employees must be screened prior to employment, including identity verification using a passport or similar photo ID and at least two satisfactory professional references. Additional checks are required for employees taking up trusted positions.
- All employees must formally accept a binding confidentiality or non-disclosure agreement concerning personal and proprietary information provided to or generated by them in the course of employment.
- Human Resources department must inform Administration, Finance and Operations when an employee is taken on, transferred, resigns, is suspended or released on long-term leave, or their employment is terminated.
- Upon receiving notification from HR that an employee's status has changed, Administration must update their physical access rights and IT Security Administration must update their logical access rights accordingly.
- An employee's manager must ensure that all access cards, keys, IT equipment, storage media and other valuable corporate assets are returned by the employee on or before their last day of employment.
Access control[edit]
- User access to corporate IT systems, networks, applications and information must be controlled in accordance with access requirements specified by the relevant Information Asset Owners, normally according to the user's role.
- Generic or test IDs must not be created or enabled on production systems unless specifically authorized by the relevant Information Asset Owners.
- After a predefined number of unsuccessful logon attempts, security log entries and (where appropriate) security alerts must be generated and user accounts must be locked out as required by the relevant Information Asset Owners.
- Passwords or pass phrases must be lengthy and complex, consisting of a mix of letters, numerals and special characters that would be difficult to guess.
- Passwords or pass phrases must not be written down or stored in readable format.
- Authentication information such as passwords, security logs, security configurations and so forth must be adequately secured against unauthorized or inappropriate access, modification, corruption or loss.
- Privileged access rights typically required to administer, configure, manage, secure and monitor IT systems must be reviewed periodically (at least twice a year) by Information Security and cross-checked by the appropriate departmental managers.
- Users must either log off or password-lock their sessions before leaving them unattended.
- Password-protected screensavers with an inactivity timeout of no more than 10 minutes must be enabled on all workstations/PCs.
- Write access to removable media (USB drives, CD/DVD writers etc.) must be disabled on all desktops unless specifically authorized for legitimate business reasons.
National equivalent standards[edit]
ISO/IEC 27002 has directly equivalent national standards in several countries. Translation and local publication often results in several months' delay after the main ISO/IEC standard is revised and released, but the national standard bodies go to great lengths to ensure that the translated content accurately and completely reflects ISO/IEC 27002.
Countries | Equivalent Standard |
---|---|
Australia New Zealand | AS/NZS ISO/IEC 27002:2006 |
Brazil | ISO/IEC NBR 17799/2007 – 27002 |
Indonesia | SNI ISO/IEC 27002:2014 |
Chile | NCH2777 ISO/IEC 17799/2000 |
China | GB/T 22081-2008 |
Czech Republic | ČSN ISO/IEC 27002:2006 |
Croatia | HRN ISO/IEC 27002:2013 |
Denmark | DS/ISO27002:2014 (DK) |
Estonia | EVS-ISO/IEC 17799:2003, 2005 version in translation |
Germany | DIN ISO/IEC 27002:2008 |
Japan | JIS Q 27002 |
Lithuania | LST ISO/IEC 27002:2009 (adopted ISO/IEC 27002:2005, ISO/IEC 17799:2005) |
Mexico | NMX-I-27002-NYCE-2015 |
Netherlands | NEN-ISO/IEC 27002:2013 |
Peru | NTP-ISO/IEC 17799:2007 |
Poland | PN-ISO/IEC 17799:2007, based on ISO/IEC 17799:2005 |
Russia | ГОСТ Р ИСО/МЭК 27002-2012, based on ISO/IEC 27002:2005 |
Slovakia | STN ISO/IEC 27002:2006 |
South Africa | SANS UNDERTALE 27002:2014/ISO/IEC 27002:2013[3] |
Spain | UNE 71501 |
Sweden | SS-ISO/IEC 27002:2014 |
Turkey | TS ISO/IEC 27002 |
Thailand | UNIT/ISO |
Ukraine | СОУ Н НБУ 65.1 СУІБ 2.0:2010 |
United Kingdom | BS ISO/IEC 27002:2005 |
Uruguay | UNIT/ISO 17799:2005 |
Certification[edit]
ISO/IEC 27002 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organization according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the information security controls that make sense to them, but makes it unsuitable for the relatively straightforward compliance testing implicit in most formal certification schemes.
Iso 27001 Password Standards
ISO/IEC 27001:2013 (Information technology – Security techniques – Information security management systems – Requirements) is a widely recognized certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS, and in Annex A there is a suite of information security controls that organizations are encouraged to adopt where appropriate within their ISMS. The controls in Annex A are derived from and aligned with ISO/IEC 27002.
Standard Password Policy
Ongoing development[edit]
Both ISO/IEC 27001:2013 and ISO/IEC 27002 are revised by ISO/IEC JTC1/SC27 every few years in order to keep them current and relevant. Revision involves, for instance, incorporating references to other issued security standards (such as ISO/IEC 27000, ISO/IEC 27004 and ISO/IEC 27005) and various good security practices that have emerged in the field since they were last published. Due to the significant 'installed base' of organizations already using ISO/IEC 27002, particularly in relation to the information security controls supporting an ISMS that complies with ISO/IEC 27001, any changes have to be justified and, wherever possible, evolutionary rather than revolutionary in nature.
See also[edit]
- BS 7799, the original British Standard from which ISO/IEC 17799 and then ISO/IEC 27002 was derived
- Standard of Good Practice published by the Information Security Forum
References[edit]
- ^'ISO27k timeline'. ISO27001security.com. IsecT Ltd. Retrieved 9 March 2016.
- ^'ISC CISSP Official Study Guide'. SYBEX. ISBN978-1119042716. Retrieved 1 November 2016.
- ^'SANS 27002:2014 (Ed. 2.00)'. SABS Web Store. Retrieved 25 May 2015.
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=ISO/IEC_27002&oldid=907495932'