Security Awareness, Training, and Tools — Password Management

§164.308(a)(5)(ii)(D): Procedures for creating, changing, and safeguarding passwords.

Audit Inquiry

Does the entity have policies and procedures in place to incorporate procedures for creating, changing, and safeguarding passwords into its security awareness and training program?

Obtain and review password management procedures and training (or other vehicle) for creating, changing, and safeguarding passwords.

Elements to review may include but are not limited to:
• Workforce members’ roles and responsibilities in the procedures for creating, changing, and safeguarding passwords
• Identify how passwords should be created, changed, and safeguarded
• Action(s) to be taken in response to a compromised password or other authentication credential

Obtain and review documentation demonstrating that procedures for creating, changing, and safeguarding passwords are in place. Evaluate and determine whether such procedures are in accordance with the creating, changing, and safeguarding passwords procedures incorporated into the training material.

Obtain and review documentation of workforce members and role types of who should be trained on creating, changing, and safeguarding passwords. Obtain and review documentation of the workforce members who were trained on the procedures for creating, changing, and safeguarding passwords. Evaluate and determine if appropriate workforce members are being trained on the procedures for creating, changing, and safeguarding passwords.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable