Title

Privilege authorization, Direct Inward System Access and/or Voice Mail special authorization codes or individually assigned PINS are not changed when compromised. (Cat III impact)

Discussion

Requirement: The IAO will ensure that all Voice Mail (and/or Privilege authorization, Direct Inward System Access) special authorization codes or individually assigned PINs are changed immediately if it is determined that they are compromised. If special authorization codes or individually assigned PINS are determined to be compromised, all access control to this feature is lost. Furthermore, this can lead to call fraud and abuse. As with any access control mechanism, once compromised, changes should be implemented to ensure secure access.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-8430r1_rule

Vulnerability ID: V-7944

Group Title: Service access PINs NOT changed when compromised

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.