Identity and Access Management
This checklist helps establish direction and requirements for access to data, information and systems, and, to ensure that users have the appropriate access levels to access information on systems and applications.
| Category | Sub-Category | Name | Activity |
|---|---|---|---|---|
Identity and | Logical Access Account Lifecycle | Logical Access Provisioning | Logical access provisioning to information systems requires approval from appropriate personnel. | |
Identity and | Logical Access Account Lifecycle | Logical Access De-provisioning | Logical access that is no longer required in the event of a termination is documented, communicated to management, and revoked. | |
Identity and Access Management | Logical Access Account Lifecycle | Logical Access De-provisioning: Notification | The People Resources system sends a notification to relevant personnel in the event of a termination of an information system user. | |
Identity and | Logical Access | Logical Access Review | [The organization] performs account and access reviews [in accordance with the organization-defined frequency]; corrective action is taken where applicable. | |
Identity and | Logical Access Account Lifecycle | Role Change: Access De-provisioning | Upon notification of an employee reassignment or transfer, management reviews the employee's access for appropriateness. Access that is no longer required is revoked and documented. | |
Identity and | Logical Access Account Lifecycle | Shared Logical Accounts | [The organization] restricts the use of shared and group authentication credentials. | |
Identity and | Logical Access Account Lifecycle | Shared Account Restrictions | Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed. | |
Identity and | Authentication | Unique | [The organization] requires unique identifiers for user accounts and prevents identifier reuse. | |
Identity and | Authentication | Password Authentication | User and device authentication to information systems is protected by passwords that meet [the organization's] password complexity requirements. [the organization] requires system users to change passwords [in accordance with the organization-defined frequency]. | |
Identity and | Authentication | Multifactor Authentication | Multi-factor authentication is required for: | |
Identity and | Authentication | Authentication Credential Maintenance | Authorized personnel verify the identity of users before modifying authentication credentials on their behalf. | |
Identity and | Authentication | Session Timeout | Information systems are configured to terminate inactive sessions after [the organization-defined duration] or when the user terminates the session. | |
Identity and | Authentication | Session Limit | Information systems are configured to limit concurrent login sessions and the inactive user interface is not displayed when the session is terminated. | |
Identity and | Authentication | Account | Users are locked out of information systems after [the organization-defined number] of invalid attempts for a minimum of [the organization- defined duration], or until an administrator enables the user ID. | |
Identity and | Authentication | Account Lockout | Users are locked out of information systems after multiple, consecutive invalid attempts within a defined period; Accounts remain locked for a defined period. | |
Identity & Access Management | Authentication | Privileged Session Management | Privileged logical access to trusted data environments is enabled through an authorized session manager; session user activity is recorded and tunneling to untrusted data environments is restricted. | |
Identity and | Authentication | Full Disk Encryption | Where full disk encryption is used, logical access must be managed independently of operating system authentication; decryption keys must not be associated with user accounts. | |
Identity and | Authentication | Login Banner | Systems leveraged by the U.S. Federal Government present a login screen that displays the following language: | |
Identity and | Role-Based Logical Access | Logical Access Role Permission Authorization | Initial permission definitions, and changes to permissions, associated with logical access roles are approved by authorized personnel. | |
Identity and | Role-Based Logical Access | Source Code Security | Access to modify source code is restricted to authorized personnel. | |
Identity and | Role-Based Logical Access | Service Account Restrictions | Individual user or administrator use of service accounts for O/S, applications, and databases is prohibited. | |
Identity and | Role-Based Logical Access | PCI Account Restrictions | [The organization] clients with access to the cardholder data environment (CDE), as users or processes, are assigned unique accounts that cannot modify shared binaries or access data, server resources, or scripts owned by another CDE or [the organization]; application processes are restricted from operating in privileged-mode. | |
Identity and | Remote Access | Virtual Private Network | Remote connections to the corporate network are accessed via VPN through managed gateways. | |
Identity and | Remote Access | Ability to Disable Remote Sessions | [The organization] has a defined process and mechanisms in place to expeditiously disable or disconnect remote access to information systems within a defined time frame based on | |
Identity and | Remote Access | Remote Maintenance: Authentication Sessions | Vendor accounts used for remote access are enabled only during the time period needed, disabled when not in use, and monitored while in use. | |
Identity and | Remote Access | Remote Maintenance: Unique Authentication Credentials for each Customer | Where applicable, Service providers with remote access to customer premises (e.g., for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer. | |
Identity and | End-user Authentication | End-user Environment Segmentation | Where applicable, processes that run as part of an [the organization] shared hosting platform will run under unique credentials that permit access to only one customer environment. | |
Identity and | End-user Authentication | End-user Access to Applications and Data | [The organization] applications secure user data and maintain confidentiality by default or according to permissions set by the individual; [the organization] authenticates individuals with unique identifiers and passwords prior to enabling access to: | |
Identity and | Key Management | Key Repository Access | Access to the cryptographic keystores is limited to authorized personnel. | |
Identity and | Key Management | Data Encryption Keys | [The organization] changes shared data encryption keys | |
Identity and | Key Management | Key Maintenance | Cryptographic keys are invalidated when compromised or at the end of their defined lifecycle period. | |
Identity and | Key Management | Clear Text Key Management | If applicable, manual clear-text cryptographic key- management operations must be managed using split knowledge and dual control. | |
Identity and | Key Storage and Distribution | Key Store Review | Management reviews and authorizes key store locations. | |
Identity and | Key Storage and Distribution | Storage of Data Encryption Keys | Storage of data encryption keys that encrypt or decrypt cardholder data meet at least | |
Identity and | Key Storage and Distribution | Clear Text Distribution | [The organization] prohibits the distribution of cryptographic keys in clear text. | |
Identity and Access Management | Public Key Infrastructure | Installation of Software: Certificate Verification | Digital Certificates are verified by information system components prior to installation on the production network. |
