3.5.1—Identification and Authentication - Basic
>Control Description
>Discussion
Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals.
Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern identification of system flaws?
- •What procedures address flaw discovery, reporting, and tracking?
- •How do you receive vulnerability notifications and advisories?
- •Who is responsible for flaw identification and management?
- •What governance ensures timely flaw identification?
Technical Implementation:
- •What vulnerability scanning tools identify system flaws?
- •How often do you scan for vulnerabilities?
- •What sources provide flaw and vulnerability information?
- •How do you aggregate and prioritize identified flaws?
- •What systems track vulnerability identification and remediation?
Evidence & Documentation:
- •Can you provide recent vulnerability scan reports?
- •What evidence shows regular flaw identification activities?
- •Can you demonstrate subscription to vulnerability feeds?
- •What tracking systems document identified flaws?
- •What audit reports verify flaw identification processes?
Ask AI
Configure your API key to use AI features.