Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Maturity Level 1

Maturity Level 2

Maturity Level 3

PR.AC-1.1

PR.AC-1.1: Identities and credentials for authorized devices and users shall be managed.

Identities and credentials for authorized devices and users could be managed through a password policy. A password policy is a set of rules designed to enhance ICT/OT security by encouraging organization’s to:
(Not limitative list and measures to be considered as appropriate)
Change all default passwords.
Ensure that no one works with administrator privileges for daily tasks.
Keep a limited and updated list of system administrator accounts.
Enforce password rules, e.g. passwords must be longer than a state-of-the-art number of characters with a combination of character types and changed periodically or when there is any suspicion of compromise.
Use only individual accounts and never share passwords.
Immediately disable unused accounts
Rights and privileges are managed by user groups.

Description

Identities and credentials for authorized devices and users shall be managed.

PR.AC-1.2

PR.AC-1.2: Identities and credentials for authorized devices and users shall be managed, where feasible through automated mechanisms.

Automated mechanisms can help to support the management and auditing of information system credentials.
Consider strong user authentication, meaning an authentication based on the use of at least two authentication factors from different categories of either knowledge (something only the user knows), possession (something only the user possesses) or inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way to protect the confidentiality of the authentication data.

Description

Identities and credentials for authorized devices and users shall be managed, where feasible through automated mechanisms.

PR.AC-1.3

PR.AC-1.3: System credentials shall be deactivated after a specified period of inactivity unless it would compromise the safe operation of (critical) processes.

To guarantee the safe operation, service accounts should be used for running processes and services.
Consider the use of a formal access procedure for external parties.

Description

System credentials shall be deactivated after a specified period of inactivity unless it would compromise the safe operation of (critical) processes.

PR.AC-1.4

PR.AC-1.4: For transactions within the organization's critical systems, the organization shall implement: multi-factor end-user authentication (MFA or "strong authentication"). certificate-based authentication for system-to-system communications

Consider the use of SSO (Single Sign On) in combination with MFA for the organization's internal and external critical systems.

Description

For transactions within the organization's critical systems, the organization shall implement: • multi-factor end-user authentication (MFA or "strong authentication"). • certificate-based authentication for system-to-system communications

PR.AC-1.5

PR.AC-1.5: The organization’s critical systems shall be monitored for atypical use of system credentials. Credentials associated with significant risk shall be disabled.

Consider limiting the number of failed login attempts by implementing automatic lockout.
The locked account won’t be accessible until it has been reset or the account lockout duration elapses.

Description

The organization’s critical systems shall be monitored for atypical use of system credentials. Credentials associated with significant risk shall be disabled.