8.3.8 Authentication policies and procedures are documented and communicated to all users including:

Defined Approach Requirements

8.3.8 Authentication policies and procedures are documented and communicated to all users including:

• Guidance on selecting strong authentication factors.
• Guidance for how users should protect their authentication factors.
• Instructions not to reuse previously used passwords/passphrases.
• Instructions to change passwords/passphrases if there is any suspicion or knowledge that the password/passphrase have been compromised and how to report the incident.

Customized Approach Objective

Users are knowledgeable about the correct use of authentication factors and can access assistance and guidance when required.

Defined Approach Testing Procedures

8.3.8.a Examine procedures and interview personnel to verify that authentication policies and procedures are distributed to all users.

8.3.8.b Review authentication policies and procedures that are distributed to users and verify they include the elements specified in this requirement.

8.3.8.c Interview users to verify that they are familiar with authentication policies and procedures.

Purpose

Communicating authentication policies and procedures to all users helps them to understand and abide by the policies.

Good Practice

Guidance on selecting strong passwords may include suggestions to help personnel select hard-to-guess passwords that do not contain dictionary words or information about the user, such as the user ID, names of family members, date of birth, etc.

Guidance for protecting authentication factors may include not writing down passwords or not saving them in insecure files, and being alert to malicious individuals who may try to exploit their passwords (for example, by calling an employee and asking for their password so the caller can "troubleshoot a problem").

Alternatively, entities can implement processes to confirm passwords meet password policy, for example, by comparing password choices to a list of unacceptable passwords and having users choose a new password for any that match with one on the list. Instructing users to change passwords if there is a chance the password is no longer secure can prevent malicious users from using a legitimate password to gain unauthorized access.