Password and Access Control Standards
Security standards are specific, measurable requirements derived from security policies. Where a policy states "passwords must be secure," a standard specifies "passwords must be at least 12 characters and include three of four character classes." Standards bridge the gap between policy intent and technical implementation.
Password Standards
Password standards define the specific technical requirements for credentials used to authenticate users to organizational systems. A comprehensive password standard addresses:
- Complexity requirements: Minimum length (modern guidance from NIST 800-63B emphasizes length over complexity), character class requirements (uppercase, lowercase, numbers, special characters), and prohibition of easily guessable passwords (dictionary words, username variations, previously breached passwords).
- Authentication methods: Which authentication methods are permitted for which systems and risk levels. High-risk systems may require MFA in addition to password.
- Secure password reset process: How users reset forgotten passwords. Weak reset processes (security questions, email-only reset) can bypass strong passwords. The reset process must be as secure as the authentication process itself.
- Change frequency: How often passwords must be changed. Modern guidance (NIST 800-63B) recommends against arbitrary periodic changes for accounts with no evidence of compromise, as they drive users toward predictable patterns. Change should be required upon evidence of compromise.
- Password storage: Passwords must never be stored in plaintext. Standard requires hashing with a modern algorithm (bcrypt, Argon2, PBKDF2) and salting (adding a unique random value before hashing to prevent rainbow table attacks). This is a technical storage standard, not visible to users.
- Password managers: Standards may address organizational support for and use of password managers to enable unique, complex passwords for each system without requiring user memorization.
Access Control Standards
Access control standards define how access to systems and data is granted, managed, and removed. The standard must specify the access control model and the processes that support it.
| Model | How Access Is Determined | Typical Use |
|---|---|---|
| MAC (Mandatory Access Control) | System-enforced labels (Top Secret, Secret, Unclassified); users cannot grant access beyond their clearance | Government/military; high-security classified environments |
| DAC (Discretionary Access Control) | Resource owner grants access at their discretion (file owner sets permissions) | Consumer OS (Windows/Linux standard permissions) |
| RBAC (Role-Based Access Control) | Access determined by job role; users inherit permissions of their role(s) | Enterprise environments; most common organizational standard |
| ABAC (Attribute-Based Access Control) | Access determined by multiple attributes: user attributes + resource attributes + environment (time, location) | Cloud environments; fine-grained access requirements |
Access control standards must also address: the approval process for granting access (who approves access requests and at what level), and removal procedures for termination/expiry/contract end — access must be removed immediately upon separation, not when someone gets around to it.
Physical Security Standards
Physical security standards define the controls required to protect facilities, equipment, and assets from physical threats. Physical security is layered: outer perimeter controls limit who can enter the building; interior controls limit who can access specific areas; equipment controls protect individual devices.
Personnel Classification for Physical Access
Physical security standards must differentiate access levels based on the trust and verification level of the individual:
- Employees: Background-checked, trained on security policy, issued permanent badges with photo ID. Access granted based on job role. Typically permitted in most general office areas and specific restricted areas relevant to their role.
- Visitors: Not vetted; limited access. Must be signed in at reception, issued a temporary visitor badge (visually distinct from employee badges), and escorted at all times by an employee in restricted areas. Visitor logs must be maintained.
- Contractors: Background-checked but not employed; access is limited to the specific areas and timeframes required for the contracted work. May require escort in sensitive areas. Access is revoked upon contract completion.
Physical Access Controls
Standards specify the types of physical access controls required for different areas:
- Electronic locks: Card readers, PIN pads, or electronic lock mechanisms that provide access logging (who entered when) unlike traditional keys, which cannot be audited.
- Biometrics: Fingerprint, iris scan, facial recognition, or hand geometry for high-security areas. Biometrics provide authentication based on something you are and cannot be loaned, transferred, or lost like a badge.
- Monitoring: CCTV coverage of access points, server rooms, and high-value asset areas. Recordings must be retained for a standard period (typically 30–90 days) for incident investigation.
- Escorts: Required for visitors and contractors in restricted areas. The escorting employee takes responsibility for the visitor's actions.
- Offboarding: Physical security offboarding requires recovery of all physical access credentials (badges, keys, access cards) and immediate deactivation of electronic access. Access must be removed on the last day of employment, not after.
Physical Security and the Insider Threat
Physical security standards must account for the insider threat: employees who have legitimate physical access but misuse it. Controls include: least privilege physical access (employees only access areas required for their role), visitor escort requirements even for familiar-looking individuals, tailgating prevention (anti-passback systems, mantrap/airlock entries), and regular access reviews to ensure access is appropriate for current job functions.
Encryption Standards and Security Frameworks
Encryption Standards
Encryption standards specify which algorithms, key lengths, and protocols are approved for protecting organizational data. Standards must address data in three states:
| Data State | Definition | Standard Requirements |
|---|---|---|
| Data at rest | Stored data on disks, databases, backups, USB drives | AES-256 for full-disk encryption (BitLocker, FileVault); database encryption; encrypted backups. Encryption key management standards. |
| Data in transit | Data moving across networks or between systems | TLS 1.2 minimum (TLS 1.3 preferred); deprecated protocols (SSL, TLS 1.0/1.1) prohibited; VPN for remote access; certificate standards. |
| Data in use | Data being actively processed in memory | Emerging area; hardware-based trusted execution environments (TEE); secure enclaves. Many organizations do not yet have formal data-in-use standards but the concept is tested. |
Different systems may have different encryption requirements based on data sensitivity. A standard may require AES-256 for systems processing PII or financial data, while permitting AES-128 for less sensitive internal systems. The key principle: the encryption requirement must match the sensitivity of the data being protected.
Password Storage Encryption Standard
Password storage is a specific encryption standard requirement: passwords must be stored using a one-way hashing algorithm with salt, not in plaintext or with reversible encryption. Current recommended algorithms: bcrypt, Argon2, PBKDF2. The salt is a unique random value added to each password before hashing, preventing rainbow table attacks (where an attacker pre-computes hashes for common passwords). Each user's password has a unique salt, so even identical passwords produce different hashes. MD5 and SHA-1 are deprecated for password storage due to speed (makes brute force faster) and known vulnerabilities.
ISO/IEC 27001
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides a framework for establishing, implementing, maintaining, and continually improving information security within an organization. Key characteristics:
- Risk-based approach: Organizations identify their information security risks and select appropriate controls from Annex A (a catalog of 93 controls across 4 themes).
- Certification: Organizations can be independently audited and certified against ISO 27001, demonstrating to customers, partners, and regulators that security management meets an international standard.
- PDCA cycle: Plan-Do-Check-Act continuous improvement cycle ensures the ISMS is maintained and updated as threats, technology, and business requirements evolve.
- Scope: Can be applied to the entire organization or to a defined scope (e.g., a specific data center or business unit).
NIST Frameworks for Standards
NIST publications provide detailed standards guidance used by US government agencies and widely adopted in private industry:
- NIST SP 800-53: Security and Privacy Controls for Federal Information Systems. Comprehensive catalog of security controls organized by control families. Used as the basis for FedRAMP and many enterprise security programs.
- NIST SP 800-63B: Digital Identity Guidelines. Provides guidance on password standards (length over complexity, no mandatory rotation without evidence of compromise, check against breached password lists).
- NIST Cybersecurity Framework (CSF): Risk management framework with five functions. Widely adopted across industries as a voluntary baseline for security program maturity.