Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: IA-FAMILY: IDENTIFICATION AND AUTHENTICATION

IA-4 IDENTIFIER MANAGEMENT

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

ia-4	identifier management
	assessment objective: Determine if the organization manages information system identifiers by:
	ia-4(a)	ia-4(a)[1]	defining personnel or roles from whom authorization must be received to assign:
			ia-4(a)[1][a]	an individual identifier;
			ia-4(a)[1][b]	a group identifier;
			ia-4(a)[1][c]	a role identifier; and/or
			ia-4(a)[1][d]	a device identifier;
		ia-4(a)[2]	receiving authorization from organization-defined personnel or roles to assign:
			ia-4(a)[2][a]	an individual identifier;
			ia-4(a)[2][b]	a group identifier;
			ia-4(a)[2][c]	a role identifier; and/or
			ia-4(a)[2][d]	a device identifier;
	ia-4(b)	selecting an identifier that identifies:
		ia-4(b)[1]	an individual;
		ia-4(b)[2]	a group;
		ia-4(b)[3]	a role; and/or
		ia-4(b)[4]	a device;
	ia-4(c)	assigning the identifier to the intended:
		ia-4(c)[1]	individual;
		ia-4(c)[2]	group;
		ia-4(c)[3]	role; and/or
		ia-4(c)[4]	device;
	ia-4(d)	ia-4(d)[1]	defining a time period for preventing reuse of identifiers;
		ia-4(d)[2]	preventing reuse of identifiers for the organization-defined time period;
	ia-4(e)	ia-4(e)[1]	defining a time period of inactivity to disable the identifier; and
		ia-4(e)[2]	disabling the identifier after the organization-defined time period of inactivity.
	potential assessment methods and objects: Examine: [select from: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; list of identifiers generated from physical access control devices; other relevant documents or records]. Interview: [select from: Organizational personnel with identifier management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [select from: Automated mechanisms supporting and/or implementing identifier management].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056