Title

The ISSO/IAO has not recorded the passwords of high level users (ADMIN) used on DSN components and stored them in a secure or controlled manner. (Cat II impact)

Discussion

Requirement: The IAO will ensure that no user (to include Administrator) is permitted to retrieve the password of any user in clear text. Passwords should be recorded and stored in a secure location for emergency use. This helps prevent time consuming password recovery techniques and denial of administrator access, in the event a password is forgotten or the individual with the access is incapacitated. The passwords of high level users should be recorded and controlled so that the ISSO/IAO would be able to gain high level access if an unforeseen situation occurred that prevented the high level user to perform their duties.

Check Content

Interview the IAO and/or SA to confirm compliance through discussion, review of site policy and procedures, diagrams, documentation, configuration files, logs, records, DAA/other approvals, etc as applicable.

Fix Text

Record the passwords of high level users and store in a controlled manner.

Additional Identifiers

Rule ID: SV-8451r1_rule

Vulnerability ID: V-7965

Group Title: High level passwords not recorded and controlled

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.