AUTH-11 Password Configurations

What is this control about?

A password policy is a configuration of a set of attributes, which an administrator defines from the documented policy and implements on all company resources. Creating strong password requirements will help mitigate the risk of unauthorized access. It is recommended to remain updated on password best practices as they tend to change.

Available tools in the marketplace 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• NIST (National Institute of Standards and Technology) password configuration best practices summary

Control implementation

Note: This control is automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Document a password policy that defines what the password requirements are (min length, max length, characters, etc..). Use NIST for guidance.

Enforce the defined configurations on all systems.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide the password policy that shows the required password configurations
• Provide screenshot of the password configuration settings for each system

Evidence example

From the suggested action above, an example is provided below.

1.Provide the password policy that shows the required password configurations

TrustCloud Password policy template

No screenshot deemed necessary, as template provided serves as artifact example.

2. Provide a screenshot of the password configuration settings for each system.

Example shows the password configurations. Provide a similar artifact for the relevant system.

Google search