How to Document Identification and Authentication Controls Within Your Security Policies

Let’s talk about identification and authentication. Identification and authentication of users to your system is the human to computer interaction that is a critical piece of access controls to your systems. There have been numerous breaches reported. some from big name companies where organizations have failed to secure their systems websites or computers. In the past, identification and authentication was known as the simple use of unique usernames and passwords. But more recently, it is recommended to go beyond that. Especially for those that contain sensitive or proprietary information. It is now recommended to invest in quality authentication tools that fit your environment, resources, and needs. So, how do you document identification and authentication within your policies? There are two sides to include. First, is the identifier management. Within the policy should be the requirement for a unique username with a password that follows best practices with defined verification and authorization rules for each system. Additional to identifier management is authenticator management. Within the policy is the defined authenticator and the necessary procedures for issuing, replacing and revoking, and the response taken if the authenticator was lost or stolen. There are three common factors to authenticating a user. Something you know, a passphrase or password. Something you have, a smart card, a token, a key fob. Something you are, biometrics, fingerprints maybe, or iris scanning. Adding multifactor authentication will further secure your sensitive assets. In summary, remember that identification and authentication work hand in hand to create a secure log-in in process, but are two separate terms. Visit to learn more about identification and authentication requirements. 

Related Videos