ia-2(6)

identification and authentication  | network access to privileged accounts  –separate device

assessment objective:

Determine if:

ia-2(6)[1]

the information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;

ia-2(6)[2]

the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining network access to privileged accounts; and

ia-2(6)[3]

the information system implements multifactor authentication for network access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements.

potential assessment methods and objects:

Examine: [select from: Identification and authentication policy; procedures addressing user identification and authentication; information system design documentation; information system configuration settings and associated documentation; information system audit records; list of information system accounts; other relevant documents or records].

Interview: [select from: Organizational personnel with information system operations responsibilities; organizational personnel with account management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers].

Test: [select from: Automated mechanisms supporting and/or implementing multifactor authentication capability].