IA-01-727 Identification and Authentication Policy and Procedures

Identification and Authentication Policy and Procedures

IA-01-727
Identification and Authentication Policy and Procedures
Identification and Authentication
Protect
Identification and Authentication
LOW, MOD, HIGH
P1
Yes
May 20, 2016

Each user of Agency owned information resources and each Agency information resource shall be assigned a uniquely identifiable access credential in accordance with the controls of this family.

The lack of adequate policies and procedures to control access to information resources may expose the information to unauthorized access.
The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency].
The organization has written, documented identification and authentication policies and procedures are in place.
The state organization establishes the policies for verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in an information system.
Obtain identification and authentication policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents identification and authentication policy and procedures. (ii)the organization disseminates identification and authentication policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review identification and authentication policy and procedures. (iv)the organization updates identification and authentication policy and procedures when organizational review indicates updates are required. (iv)the identification and authentication policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (v)the identification and authentication policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vi)the identification and authentication procedures address all areas identified in the identification and authentication policy and address achieving policy-compliant implementations of all associated identification and authentication controls.