The Most Recent Password Security Compliance Guidelines
One of the most common reasons business owners and IT managers ask me for help shoring up their organizations’ password procedures is because of the confusing and often-changing requirements of the industry and government regulations to which their organizations must comply. It makes sense they would want to make sure their password policies are 100 percent in line with their compliance obligations. Running afoul of industry or government regulations is one of the more costly and embarrassing things that can happen to a business. When this happens, losses come in the form of fines and legal fees, as well as bad publicity and loss of customer confidence.
In this day and age the regulatory bodies and government legislation with which an organization must comply make up a veritable alphabet soup of acronyms: HIPAA, SOX, CJIS, PCI, GLBA. Many of these regulations were implemented to protect sensitive and private information from falling into the wrong hands, and so, most of them include regulations—or at least recommendations—regarding password policy. But, as new security technologies like multi-factor authentication emerge, along with devious new ways for hacking into password-protected systems, password security compliance requirements are constantly in flux.
For the next few weeks, I’ll be blogging about how to create and implement a password policy that meets your business’s needs for security and compliance. Let’s start by reviewing some of the most common regulations regarding passwords and authentication.
The Payment Card Industry Data Security Standard applies to any organization that does business using payment cards like credit cards and debit cards (and that’s almost every business I can think of). The most recent PCI-DSS standard has this to say about passwords:
- Vendor-supplied defaults (“admin,” “guest,” “user,” etc.) must be changed from any system that can be used to access payment card information.
- A unique identification must be assigned to every user with access to cardholder data, so that every action taken on the system can be tracked to a specific person.
- Two-factor authentication (or multi-factor authentication) must be required for remote access to cardholder data. More on multi-factor authentication in future blog posts, but, briefly, it means an authentication system that asks for at least two of the following: something you know (like a password), something you have (like a token or smartcard), or something you are (like a fingerprint).
The Health Insurance Portability and Accountability Act protects the privacy of healthcare information. While HIPPA does not have very specific requirements regarding passwords, it does require that, “where appropriate” for protecting health information, organizations must implement “procedures for creating, changing, and safeguarding passwords,” as well as training employees on password best practices. The U.S. Department of Health and Human Services recommends two-factor authentication as a risk-management strategy for HIPAA compliance.
The Sarbanes-Oxley Act, which was enacted by Congress in 2002, calls for greater accuracy in the disclosure of financial information by public companies. While SOX does not mention password policy, it does call for strict internal controls on financial information, which many experts feel includes password security best practices like strong passwords and two-factor authentication.
Similar to Sarbanes-Oxley, the Gramm-Leach-Bliley Act, which requires financial institutions to protect the private information of their customers, does not dictate password policy, but requires that businesses create and follow an appropriate plan for safeguarding their customer’s financial information. On a website created to help businesses comply with GLBA, the Federal Trade Commission recommends, among other measures, the use of strong passwords and the immediate deactivation of the credentials of terminated employees.
This is a requirement for law enforcement entities. The Criminal Justice Information Services Division of the FBI requires that all agencies use multi-factor authentication for access to the criminal data stored in the National Crime Information Center. This is a fairly new requirement, and some law enforcement agencies are still struggling with compliance.
This was just an overview of what some of the most common industry and government regulations have to say about password security. In the next few blog posts, I’ll take a closer look at some of the solutions available for complying with these regulations, with a special focus on multi-factor authentication.
I know, I know: the amount of laws that you are forced to comply with only seem to expand. However, password management software will allow you to easily comply with these requirements, and more, in a way that does not place an undue burden on IT Service Providers or their clients.