IA-01-727 Identification and Authentication Policy and Procedures

Identification and Authentication Policy and Procedures

Control ID

IA-01-727

Control Name

Identification and Authentication Policy and Procedures

Control Category

Identification and Authentication

Functional Areas

Protect

Sub-Areas

Identification and Authentication

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

May 20, 2016

Agency Implementation

Each user of Agency owned information resources and each Agency information resource shall be assigned a uniquely identifiable access credential in accordance with the controls of this family.

Risk Statement

The lack of adequate policies and procedures to control access to information resources may expose the information to unauthorized access.

Control Description

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency].

Control Example

The organization has written, documented identification and authentication policies and procedures are in place.

State Implementation

The state organization establishes the policies for verifying the identity of a user, process, or device, as a prerequisite for granting access to resources in an information system.

Testing Procedures

Obtain identification and authentication policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents identification and authentication policy and procedures. (ii)the organization disseminates identification and authentication policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review identification and authentication policy and procedures. (iv)the organization updates identification and authentication policy and procedures when organizational review indicates updates are required. (iv)the identification and authentication policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. (v)the identification and authentication policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance. (vi)the identification and authentication procedures address all areas identified in the identification and authentication policy and address achieving policy-compliant implementations of all associated identification and authentication controls.