System Hardening

ISM-1590

Credentials for user accounts are changed if: • they are compromised • they are suspected of being compromised • they are discovered stored on networks in the clear • they are discovered being transferred across networks in the clear • membership of a shared account changes • they have not been changed in the past 12 months.

Topic
Changing credentials
Applicable to
all

History

Sep 2024
Credentials for user accounts are changed if: • they are compromised • they are suspected of being compromised • they are discovered stored on networks in the clear • they are discovered being transferred across networks in the clear • membership of a shared account changes • they have not been changed in the past 12 months.
The existing control relating to changing credentials was amended to clarify that it relates to changing credentials for user accounts.
Jun 2023
Credentials are changed if: • they are compromised • they are suspected of being compromised • they are discovered stored on networks in the clear • they are discovered being transferred across networks in the clear • membership of a shared account changes • they have not been changed in the past 12 months.
A minor change was made to the existing control covering scenarios for when to change credentials in order to remove duplication of content.
Mar 2022
Credentials are changed if: • they are directly compromised • they are suspected of being compromised • they appear in an online data breach database • they are discovered stored on networks in the clear • they are discovered being transferred across networks in the clear • membership of a shared account changes • they have not been changed in the past 12 months.
Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.
Aug 2020
Passwords/passphrases are changed if: • they are directly compromised • they are suspected of being compromised • they appear in online data breach databases • they are discovered stored in the clear on a network • they are discovered being transferred in the clear across a network • membership of a shared account changes • they have not been changed in the past 12 months.
Security control 1590 was introduced to cover scenarios in which password/passphrase changes should occur.