03.05.12 Authenticator Management

This policy outlines the procedures for managing authenticators used within the organization to ensure the integrity and security of organizational systems and data. It covers the issuance, distribution, use, and revocation of authenticators, including measures to protect authenticator content and prevent unauthorized access.

• A.03.05.12.ODP[01]: the frequency for changing or refreshing authenticators is defined.
• A.03.05.12.ODP[02]: events that trigger the change or refreshment of authenticators are defined.
• A.03.05.12.a: the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution is verified.
• A.03.05.12.b: initial authenticator content for any authenticators issued by the organization is established.
• A.03.05.12.c[01]: administrative procedures for initial authenticator distribution are established.
• A.03.05.12.c[02]: administrative procedures for lost, compromised, or damaged authenticators are established.
• A.03.05.12.c[03]: administrative procedures for revoking authenticators are established.
• A.03.05.12.c[04]: administrative procedures for initial authenticator distribution are implemented.
• A.03.05.12.c[05]: administrative procedures for lost, compromised, or damaged authenticators are implemented.
• A.03.05.12.c[06]: administrative procedures for revoking authenticators are implemented.
• A.03.05.12.d: default authenticators are changed at first use.
• A.03.05.12.e: authenticators are changed or refreshed <A.03.05.12.ODP[01]: frequency> or when the following events occur: <A.03.05.12.ODP[02]: events>.
• A.03.05.12.f[01]: authenticator content is protected from unauthorized disclosure.
• A.03.05.12.f[02]: authenticator content is protected from unauthorized modification.