nFront Password Filter
Enforce Compliance with nFront Password Filter
PCI Compliance
PCI Compliance Password Related Requirements
- 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.
- 8.5.8 Do not use group, shared, or generic accounts and passwords.
- 8.5.9 Change user passwords at least every 90 days.
- 8.5.10 Require a minimum password length of at least seven characters.
- 8.5.11 Use passwords containing both numeric and alphabetic characters.
- 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
Payment Card Industry (PCI) Compliance is a set of security standards that were created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches.
nFront Password Filter can help your company achieve the minimum PCI compliance standards.
For more information on PCI compliance requirements or to find an approved scanning vendor visit the Official PCI Security Standards Council.
Sarbanes-Oxley Compliance (SOX)
SOX 404 and IT
- Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports.
- Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information.
- Monitoring. Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits.
The Sarbanes-Oxley Act of 2002 is a United States law that affects the auditing, financial reporting and security of financial information of publicly traded companies.
Many publicly traded companies have adopted nFront Password Filter to help them ensure better data security by disallowing weak, easily hacked passwords. Furthermore, nFront Password Filter has features specifically built in based on SOX requirements such as the default ability to log all rejected passwords (SOX requires that most IT applications and processes log all failures).
HIPAA Compliance
HIPAA and Passwords
- Title II. Title II requires national standards for electronic healthcare transactions.
- The Security Rule. The Final Rule on Security Standards was issued in Feburary 2003. It lays out three types of security safeguards required for compliance: administrative, physical, and technical
- Technical Safegards. Technical Safegards describe the access control to computer systems and protection of patient health information from interception over electronic networks. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996. It consists of Title I and Title II. Title I describes health care access, portabilty and renewability. Title II describes the measures for administration to protect from fraud and abuse.
While the Technical Safegards section does not specify exact password criteria, it does suggest the use of strong authentication. Of course, biometrics are the only true way of ensuring a person who he or he says she is. For most however, biometrics is not affordable or does not integrate well with existing systems. Increasing password strength by enforcing longer passwords, more complex passwords or rejecting common passwords goes a long way to ensure the uniqueness of an end-user.
Many hospitals and healthcare providers have adopted nFront Password Filter to help them ensure better data security by disallowing weak, easily hacked passwords. Some use dictionaries of common passwords that have been extended to over 2 million words common to the healthcare industry. Such measures ensure a much lower chance of an external password compromise. If passphrases (essentially a long sentences) are encouraged then there will be less of a chance of an end-user writing down a password so chances of internal hacking should not go up as a result of enforcing better passwords.
