+IAM-09 Confidentiality of Authentication Information
---+IAM-09.01B
---+IAM-09.02B
---+IAM-09.03B
---+IAM-09.04B
---+IAM-09.05B
---+IAM-09.06B
---+IAM-09.07B
---+IAM-09.01AC
|
1. Übersicht
IAM-09 Confidentiality of Authentication Information
-
| Bezeichnung |
Standard |
|
IAM-09.01B
|
The allocation of authentication information to access system components used to provide the cloud service to internal and external users of the cloud service provider and system components that are involved in automated authorisation processes of the cloud service provider is done in an orderly manner that ensures the confidentiality of the information.
Authentication information as referred to in the basic criterion is cloud service provider data.
|
|
IAM-09.02B
|
Authentication credentials are managed with a security level that matches or exceeds the classification of the system component they protect.
Authentication information as referred to in the basic criterion is cloud service provider data.
|
|
IAM-09.03B
|
If passwords are used as authentication information, their confidentiality is ensured by the following procedures, as far as technically possible:
1. Users can initially create the password themselves or shall change an initial password when logging on to the system component for the first time. An initial password loses its validity after a maximum of 14 days;
2. When creating passwords, compliance with the authentication policy (cf. IAM-08) is enforced as far as technically possible;
3. The user is informed about changing or resetting the password; and
4. The server-side storage takes place using state of the art cryptographic hash functions, with the exception of passwords that are stored in the plain text form for later use, for example in a password manager. In this case, state of the art cryptographic mechanisms are used to protect the passwords.
Authentication information as referred to in the basic criterion is cloud service provider data.
|
|
IAM-09.04B
|
Deviations are evaluated by means of a risk assessment according to OIS-07 and mitigating measures derived from this are implemented.
|
|
IAM-09.05B
|
Rules and recommendations for managing credentials in accordance with the authentication policy (cf. IAM-08) are documented, communicated and made available to all users under the responsibility of the cloud service provider. They include recommendations on password managers and recommendations to specifically address classical attacks such as phishing, social attacks, and whaling.
|
|
IAM-09.06B
|
Used cryptographic mechanisms comply with the policies and instructions for cryptographic mechanisms (cf. CRY-01).
|
|
IAM-09.07B
|
Password reset procedures are valid for at most 24 hours. After the reset procedure has been used, the password is to be changed by the user.
This subcriterion is only applicable to password-based authentication schemes.
|
|
IAM-09.01AC
|
The users sign a declaration in which they assure that they treat personal (or shared) authentication information confidentially and keep it exclusively for themselves (within the members of the group).
Authentication information as referred to in the basic criterion is cloud service provider data.
Insofar as this is legally binding, declarations can be signed using an electronic signature.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|