Title

Personal Identification Numbers (PIN) assigned to special subscribers used to control Direct Inward System Access and Voice Mail services are not being controlled like passwords and deactivated when no longer required. (Cat III impact)

Discussion

The PIN used to control access to the DISA feature should be controlled much like a special access code or password. If this PIN is not changed periodically and deactivated when no longer required, the DISA feature is more likely to be compromised, thus degrading system access security.

Check Content

Interview the IAO or SA and confirm compliance through discussion, review of site policy, diagrams, documentation, DAA approvals, etc as applicable.

Fix Text

Implement processes / procedures, generate documents, and/or adjust configuration(s) / architecture, as necessary to comply with policy.

Additional Identifiers

Rule ID: SV-8429r1_rule

Vulnerability ID: V-7943

Group Title: Service access codes not changed like passwords

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.