woensdag 22 mei 2019

Password non-compliancy

Google reported that for 14 years passwords for G Suite have been stored in a less than secure way: "We made an error when implementing this functionality back in 2005". Interesting. Now how about compliancy?

Below a less than complete overview of laws and regulations defining policies with regards to authentication practices, like password storage. It looks like Google and G Suite users are non-compliant...

·       International
  •  ISO 27001 / 27002 ch9
  • ISO 27017 ch9
·       EU
  • GDPR Appropriate controls Article 32, ‘security of processing’
  • ENISA IAF 6, R-11 SO11
  • PSD2 – Strong Customer Authentication
  • eIDAS safeguard S 2.11
·       France
  • SecNumCloud 9.5.a
·       Germany
  • BSI C5 IDM-11
·       US
  • SOX 404
  • NIST SP 800-53 R3
  • NIST SP 800-63b
  • US DoD Instruction 8500.2
  • Army Regulation 25-2
  • GLBA - Gramm-Leach-Bliley Act
  • CJIS Criminal Justice Information Services
  • COPPA 312
·                California
  • Information Privacy: Connected Devices (SB-327)
·       Canada
  • Pipeda Section 5
·               Ontario
  • GO-ITS 25 3.1

India
  • Information Technology Act

Austalia
  • Protective Security Policy Framework

New Zealand 
  • NZISM 5.2.3 and 16.1

·       Industry specific regulations
  • PCI DSS 3, 7, 8, 12
  • HIPAA 45CFR164
  • NERC - North American Electric Reliability -CIP-007-3
·       Best Practices
  • OWASP Password Storage Cheat Sheet
  • SANS Password Construction Guidelines
  • CSA CCM IS07
  • AICPA SOC2SM S3.2.0
  • BITS AUP & SIG v6
  • COBIT DS05
  • HiTrust 01a
  • ITAR CFR 120.17, EAR 15 CFR 736.2
  • xkcd 936


Geen opmerkingen: