AUTH-3 Password Management Tool

What is this control about?

Passwords are considered a key protective measure to unauthorized access, especially if done well.

As passwords become increasingly complex with characters and numbers, one can’t possibly remember all of them. One of the recommended ways to manage this many passwords is using a password management tool. Especially for critical systems.

It is best practice, but not required.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Take an inventory of all admins to critical systems. For these admins, implement a password management process. This can include the download of a password manager tool to create and record passwords in a safe vault for critical systems.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide a screenshot of the tool and its active dashboard
• Provide screenshot of the login process to the tool

Evidence example

From the suggested action above, an example is provided below.

1.    Provide a screenshot of the tool and its active dashboard.

Example of password management tool shows the dashboard

Google search

2. Provide a screenshot of the login process to the tool.

Example showing the login requires username and password

Google search