Identification Code & Password Controls — §11.300

Controls for Identification Codes and Passwords. Persons who use electronic signatures based upon identification codes in combination with passwords shall employ controls to ensure their security and integrity, in accordance with §11.300. The following controls shall be implemented: (a) the uniqueness of each combined identification code and password shall be maintained such that no two individuals have the same combination; (b) identification codes and passwords shall be periodically checked, recalled, or revised at intervals determined by the organization's risk assessment, but not to exceed ninety (90) days for password changes; (c) loss management procedures shall be established to electronically de-authorize lost, stolen, missing, or otherwise potentially compromised tokens, cards, identification codes, or passwords, and to issue temporary or permanent replacements using suitable rigorous controls; (d) transaction safeguards shall be implemented to prevent unauthorized use of identification codes and passwords, including measures to detect and report attempted unauthorized use to the system security unit and organizational management; (e) initial and periodic testing of devices that bear or generate identification code or password information, such as tokens or smart cards, shall be conducted to ensure that they function properly and have not been altered in an unauthorized manner; and (f) passwords shall meet minimum complexity requirements (e.g., minimum length of eight characters, combination of uppercase, lowercase, numeric, and special characters), shall not be displayed in clear text during entry, shall be stored using industry-standard cryptographic hashing algorithms, and shall not be transmitted in clear text over any network.