AM-02 Access Management

Password / Authentication Policy

Credentials meet a minimum strength/lifecycle baseline.

Domain: Access Management
Control type: Preventive
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS Cyber Hygiene; COBIT DSS05

What good looks like

Password policy enforces length, complexity, history, lockout and rotation per baseline.

Risk if it fails

Credential compromise; account takeover.

How Tess tests it

4 tests — each concludes only on cited evidence.

Policy defines all key parameters

Design

Procedure: Inspect the password policy.
Expected: Length/complexity/history/lockout/expiry defined.
Sample: 1 (design inspection)
Evidence: IdP/AD policy settings, app auth config, screenshots.

IdP/AD config matches policy

Operating

Procedure: Inspect configuration.
Expected: Each parameter enforced as stated.
Sample: 25 (or full config inspection)
Evidence: IdP/AD policy settings, app auth config, screenshots.

Applications do not bypass central policy

Operating

Procedure: Inspect app-local authentication.
Expected: Apps inherit or meet the baseline.
Sample: 25 (or full config inspection)
Evidence: IdP/AD policy settings, app auth config, screenshots.

Lockout threshold enforced

Operating

Procedure: Inspect/test lockout.
Expected: Account locks after defined failures.
Sample: 25 (or full config inspection)
Evidence: IdP/AD policy settings, app auth config, screenshots.

Evidence Tess looks for

IdP/AD policy settings, app auth config, screenshots.

More in Access Management

AM-01 IT Organisation & Segregation AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO AM-05 Session Management / Timeout

Want Tess to test AM-02 against your evidence?