CTPAT Breakdown: 4.8

Item 4.8

Individuals with access to Information Technology (IT)
systems must use individually assigned accounts.
Access to IT systems must be protected from infiltration
via the use of strong passwords, passphrases, or other
forms of authentication, and user access to IT systems
must be safeguarded.
Passwords and/or passphrases must be changed as soon as
possible if there is evidence of compromise or reasonable
suspicion of a compromise exists.

Implementation Guidlines

To guard IT systems against infiltration, user access must be safeguarded
by going through an authentication process. Complex login passwords or
passphrases, biometric technologies, and electronic ID cards are three
different types of authentication processes. Processes that use more
than one measure are preferred. These are referred to as two-factor
authentication (2FA) or multi-factor authentication (MFA). MFA is the
most secure because it requires a user to present two or more pieces of
evidence (credentials) to authenticate the person’s identity during the
log-on process.
MFAs can assist in closing network intrusions exploited by weak
passwords or stolen credentials. MFAs can assist in closing these attack
vectors by requiring individuals to augment passwords or passphrases
(something you know) with something you have, like a token, or one of
your physical features – a biometric.
If using passwords, they need to be complex. The National Institute of
Standards and Technology’s (NIST) NIST Special Publication 800-63B:
Digital Identity Guidelines, includes password guidelines
(https://pages.nist.gov/800-63-3/sp800-63b.html). It recommends the
use of long, easy to remember passphrases instead of words with special
characters. These longer passphrases (NIST recommends allowing up to
64 characters in length) are considered much harder to crack because
they are made up of an easily memorized sentence or phrase.

So each user must have their own account on the system.

Each account must have a password or other security mechanism such as a smart card.

Passwords must be changed if the account is compromised, or suspected to be compromised.


In Active Directory the requirement of a strong password needs to be set. This will force the user accounts to meet what Microsoft thinks is a strong password.
Similar functionality should exist in other centralized account management systems (i.e. LDAP).

Smart cards, biometrics (i.e. fingerprints) require other hardware to be installed as well as support in the centralized account management system.
Active Directory supports smart cards, and may support biometrics.

A policy and related procedures are required for forcing the password change upon compromise or suspected compromise.

Bookmark the permalink.

Comments are closed.