Identify the best practices met by the Michigan password policy
Deliverables
Upon completion of this assignment, you are required to provide the following deliverables
• Identify the best practices met by the Michigan password policy
• Suggest revisions for the Michigan password policy
• Describe whether the Michigan password policy is best titled as a policy or as another element of the security policy framework
• Describe the Center for Internet Security consensus process
• Identify the section of the CIS standard that implements password composition requirements
• Identify whether the CIS standard satisfies, violates, or does not address each of the NIST best practices and the relevant recommendation number
• Challenge Exercise
Applying the Security Policy Framework to an Access Control Environment
Note: The current National Institute for Standards and Technology (NIST) guidance for the use of passwords introduced some major changes to the best practices that cybersecurity professionals have historically followed. If you completed these labs in order, you may recall from Lab 1 that you reviewed NIST SP 800-63b, Authenticator and Verifier Requirements, which includes these standards. The current NIST best practices include:
• Passwords should be at least 8 characters in length.
• Passwords should be permitted to be up to 64 characters in length.
• Users should not be prompted to provide a password hint.
• Passwords should not be composed of dictionary words.
• Passwords should not include repetitive or sequential characters or context-specific words.
• Passwords may not be passwords included in previous breaches.
• Passwords should not be subject to other complexity rules.
• Passwords should not be set to expire arbitrarily.
• Authentication systems should provide guidance on the strength of selected passwords.
• Authentication systems should limit the number of failed consecutive logins for an account.
In this part of the lab, you will review a real-world access control policy and determine whether it complies with these best practices. You will also suggest changes to the policy that bring it into compliance with the new best practices.
2. Evaluate the policy document against the NIST best practices summarized above. Identify by number which, if any, of the eight best practices the policy satisfies. For each practice that you identify, provide a reference to the statement in the policy that aligns with that best practice.
3. Suggest how you would revise the policy to directly align with the standards. Provide specific statements that you would add/modify in the policy.
4. Describe whether this document is best titled as a policy or whether it would be better described using another element of the policy framework.
Part 2
The Center for Internet Security (cisecurity.org) is a cybersecurity organization that uses a collaborative process to create consensus standards for many different operating systems and applications. Organizations may choose to use the Center for Internet Security standards as the baseline for their own configuration standards. They may either simply adopt the Center’s standards as is, or write their own document that notes changes from the Center’s standard.
In this assignment, you will review one of these consensus security standards and describe how you would implement it in your environment.
1) https://www.cisecurity.org/ and locate the Center’s benchmarks for configuring Windows Server systems.
2. Review the “Consensus Guidance†section of the document.
3. Describe the process that the Center uses to ensure that its standards represent the consensus of the cybersecurity community.
4. Locate and review the section of the standard that implements password composition requirements.
5. Identify the section of the recommendations that achieves this goal.
6. Compare the configuration suggested in the policy to this subset of the NIST best practices that you reviewed in Part 1 of this assignment.
1. Passwords should be at least 8 characters in length.
2. Passwords should not include repetitive or sequential characters or context-specific words.
3. Passwords should not be subject to other complexity rules.
4. Passwords should not be set to expire arbitrarily.
5. Authentication systems should limit the number of failed consecutive logins for an account.
7. For each of the five best practices in the previous step, classify the practice as:
1. Satisfied (indicate recommendation number that achieves the best practice)
2. Violated (indicate recommendation number that violates the best practice)
3. Not addressed
For this Section , you should consider a security standard that you are familiar with from your employment, academic institution, and/or personal life. If you do not have a security standard that you are familiar with, use a search engine to locate a standard used by a government agency.
Identify a set of industry best practices covering the same area as the standard you selected. You may choose to use standards published by the Center for Internet Security, the National Institute for Standards and Technology, a vendor, or other sources.
Select three specific statements included in the standard that you drew from your own experience that are covered by the industry best practice document that you selected. For each of these three statements:
8. Identify the section of your standard.
9. Identify the section of the industry best practices that covers the same topic.
10. Identify whether the standard you selected satisfies or violates the industry best practice.
11. Provide a rationale for your conclusion.
