4 results found

1. Phase out password rotation

   I'm re-upping the Declined idea of phasing out password rotation. It's a bad requirement.

   The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.

   ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”

   It has been discussed for years now that rotating passwords leaves individuals more prone to have to write their passwords down or ask for more password resets. With MFA and more complex passwords being required the risk associated with rotating passwords has exceeded keeping a password that has never been compromised. NIST Special Publication 800-63B mentions "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. " Also it has been publicized that Microsoft no longer recommends passwords being changed periodically.

   I'm re-upping the Declined idea of phasing out password rotation. It's a bad requirement.

   The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.

   ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”

   It has been… more

   2 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   1 comment  ·  CSF & Authoritative Sources  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   Completed  ·  AdminJames Nutkis (HITRUST - Sr Director, Product Management, HITRUST) responded

   Implemented with latest CSF v9.4 update

2. Split HIPAA into Sub-Categories

   The existing HIPAA Regulatory Factor is too broad and sometimes causes undesired HIPAA sections to be introduced into an Assessment. Use the new nesting functionality to split HIPAA into its sub-categories.

   1 vote

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   0 comments  ·  CSF & Authoritative Sources  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   Completed  ·  AdminJames Nutkis (HITRUST - Sr Director, Product Management, HITRUST) responded

   Implemented with latest CSF v9.4 update

3. Phasing out Password rotating requirement

   The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.

   ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”

   It has been discussed for years now that rotating passwords leaves individuals more prone to have to write their passwords down or ask for more password resets. With MFA and more complex passwords being required the risk associated with rotating passwords has exceeded keeping a password that has never been compromised. NIST Special Publication 800-63B mentions "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. " Also it has been publicized that Microsoft no longer recommends passwords being changed periodically.

   The following requirement I believe will eventually be less common as companies are moving away from rotating passwords and might need to be inclusive of all methods going forward as password rotating will probably be slowly phased out.

   ID: 1031.01d1System.34510 “The organization changes passwords for default system accounts, at first logon following the issuance of a secure temporary password, when there is a suspected compromise, and no less than every 90 days for regular accounts or 60 days for privileged (i.e., administrator accounts).”

   It has been discussed for years now that rotating passwords leaves individuals more prone to have to… more

   1 vote

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   1 comment  ·  CSF & Authoritative Sources  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close
   Completed  ·  AdminJeremy Huval (Chief Innovation Officer, HITRUST) responded

   Great suggestion. This is addressed in v9.4 of the CSF and will continue to be reflected in future CSF versions.

4. 10655 - Updated MyCSF “Library” page

   MyCSF should update the title of the Library page to be named References. The navigation bar should be updated to reflect this alteration as well.

   The layout of this new page should be comprised of three rows. The first and third rows should have one column with 100% width. The second row should have two columns both with an equal 50% width. The existing “Library Versions” section should be relocated to the bottom of this page.

   For the Glossary and Downloads sections, Super Users should be able upload and manage files from a Content block that mirrors those contents on the References page. Each file should be able to be given a 255-character text name and a 1028-character textarea description.

   MyCSF should update the title of the Library page to be named References. The navigation bar should be updated to reflect this alteration as well.

   The layout of this new page should be comprised of three rows. The first and third rows should have one column with 100% width. The second row should have two columns both with an equal 50% width. The existing “Library Versions” section should be relocated to the bottom of this page.

   For the Glossary and Downloads sections, Super Users should be able upload and manage files from a Content block that mirrors those contents on… more

   0 votes

   Vote Vote Vote

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close

   Vote

   We’ll send you updates on this idea

   Completed  ·  0 comments  ·  CSF & Authoritative Sources  ·  Delete…  ·  Admin →
   How important is this to you?

   Not at all You must login first! Important You must login first! Critical You must login first!

   We're glad you're here

   Please sign in to leave feedback

   Signed in as (Sign out)

   Close

   Close