Leadline Inc.Leadline Inc.
Control Requirements

LS-25: Valid User IDs and Passwords Required

Require valid user IDs and passwords for network, applications, and database access

Control Description

Valid user IDs and passwords are required to access the Company's network, in-scope applications, and related databases.

Plain Meaning

This control requires organizations to implement authentication using valid user IDs and passwords for all access to the company's network, applications, and databases. This ensures that only authorized users with valid credentials can access systems and data.

Implementation

Authentication Requirements

User ID Requirements

  • Unique user ID for each individual user
  • No shared or generic user accounts
  • User IDs should not reveal sensitive information
  • Regular review and cleanup of unused user IDs
  • Proper naming conventions for user IDs

Password Requirements

  • Strong passwords that meet complexity requirements
  • Individual passwords for each user account
  • No shared or default passwords
  • Regular password changes as per policy
  • Secure password storage and transmission

Implementation Approach

User Account Management

  • Individual Accounts: Create unique accounts for each user
  • Account Provisioning: Formal process for creating new user accounts
  • Account Deprovisioning: Process for removing user accounts when no longer needed
  • Account Review: Regular review of active user accounts
  • Account Monitoring: Monitor for unusual account activity

Authentication Implementation

  • Network Access: Require authentication for all network access
  • Application Access: Implement authentication for all applications
  • Database Access: Require authentication for database connections
  • Remote Access: Secure authentication for remote access
  • API Access: Implement authentication for API access

Simple Implementation Steps

  1. Inventory Systems: Document all systems requiring authentication
  2. Create User Accounts: Set up individual accounts for all users
  3. Configure Authentication: Enable authentication on all systems
  4. Set Password Policies: Implement strong password requirements
  5. Test Authentication: Verify authentication is working properly
  6. Monitor Compliance: Regularly check that authentication is enforced

Key Success Factors

  1. Unique Accounts: Individual user accounts for all users
  2. Strong Authentication: Robust authentication mechanisms
  3. Comprehensive Coverage: Authentication required for all access points
  4. Regular Monitoring: Ongoing verification of authentication effectiveness
  5. User Education: Training users on authentication requirements

Common Pitfalls to Avoid

  • Shared Accounts: Using shared or generic user accounts
  • Weak Passwords: Allowing weak or default passwords
  • Incomplete Coverage: Missing authentication on some systems
  • No Monitoring: Not verifying authentication is working properly
  • LS-21: Password parameters configuration
  • LS-26: Multi-factor authentication for administrative activities
  • LS-22: Manager approval for access requests

Authentication Security

LS-24: Quarterly Access Reviews

Quarterly review of access to network, applications, and databases with issue resolution

LS-26: Multi-Factor Authentication or VPN for Remote Access

Multi-factor authentication for administrative activities or VPN for remote access