Authentication-Questions-v2 2 Cleaned
Authentication-Questions-v2 2 Cleaned
Authentication-Questions-v2 2 Cleaned
These materials are considered sensitive and confidential materials and may not be used
for any purpose other than the organization’s own internal use. This material may not
otherwise be shared, used, reproduced, or disseminated outside of the organization in any
way without prior written permission.
AUDITING AUTHENTICATION
1
© ENCLAVE SECURITY 2017
Standards References
CIS Critical Controls (v6.1):
Auditing Authentication 1, 3, 5, 11, 12, 13, 14, 16
AuditScripts has created the “5 Crucial Questions” series of audit checklists NIST 800-53 (rev4):
to provide auditors with a list of the five most important questions to ask AC-7—14
when auditing a specific scope. Heavily influenced by the 20 Critical Security
COBIT 5:
Controls project, these questions should serve as the starting point for any
APO13, DSS05
assessment.
ISO 27000:2013:
5 Crucial Questions to Ask: 11.1—3
When performing an audit of an organization’s authentication systems,
NIST Cybersecurity Framework:
auditors should consider at a minimum asking the following questions: PR.AC-1
1. Are clear-text authentication methods ever utilized in the
organization? IIA GTAGs:
2. Does the organization have a well-defined password standard for Not Applicable
using passwords with lower sensitivity systems?
3. Is authentication performed at multiple layers (operating system, PCI DSS (v3.1):
network, encryption, etc.)? 2, 3, 4, 6
4. Does the organization utilize two-factor authentication for access to
sensitive resources and systems? HIPAA / HITECH:
5. Does the organization log all authentication events for both HIPAA 164.308(a)(1)
successful and unsuccessful attempts to authenticate? HIPAA 164.312(a)(4)
HIPAA 164.312(c)(1)
HIPAA 164.312(d)
©AuditScripts.com & Enclave Security, LLC under a Creative Commons Attribution-
Other Standards:
NonCommercial 3.0 Unported (CC BY-NC 3.0) License.
All current FIPS Publications
http://creativecommons.org/licenses/by-nc/3.0/deed.en_US.
(especially FIPS 140-2)
AUDITING AUTHENTICATION
2
© ENCLAVE SECURITY 2017