The differences between the controls in ISO 27002 and ISO 27001. The controls in ISO 27002 are named the same as in Annex A of ISO 27001 – for instance, in ISO 27002, control 6.1.2 is named “Segregation of duties,” while in ISO 27001 it is “A.6.1.2 Segregation of duties.”. Demystify and automate your ISO 27001 audit. Demystify and automate compliance with GDPR. Demystify and automate becoming PCI DSS compliant. Passwords for administrators: don’t share passwords – use a password manager like 1Password or Dashlane instead. Passwords for your customers: allow your customers to.
Hi Gary.
I’m not surprised there is conflicting advice out there concerning regular or periodic password changes: that idea is decades old, for reasons I have never fully understood or supported. It may have made sense when we were mostly using simply passwords (e.g. 6 letters) as a way to frustrate password guessers, but failed password lockouts and alarms have always been a better approach. Within the past few years, professional opinion has shifted towards using long, preferably complex passwords or pass phrases (e.g. generated and stored in password vaults), or better still multifactor authentication since we know passwords are inherently flawed. Cryptographic tokens typically generate a new code every minute or so: imagine trying to do that with passwords!
Just a few weeks back, someone from NIST (?) who was involved in standardizing the advice to enforce regular/periodic password changes admitted that, with hindsight, it was a mistake. The NIST standards are influential, even if the advice is bad. Luckily that’s a rare exception, in my experience, which is of course why the NIST standards are so influential in the first place: on the whole they are sound, excellent in fact.
Just to be clear, there is a separate issue concerning forced password change on first use, for example if a Help Desker or automated password reset routine authenticates then securely issues a new password for someone, the person should be required to choose and set their own private password as soon as practicable. This advice remains sound, I think. [I’m not clear from your email if you appreciate the distinction between this and periodic changes.]
As to your particular situation, the driver is your organization’s assessment of the associated information risks, including perhaps the risks arising from not following recommendations or requirements concerning periodic password changes if you don’t believe that is a valid approach. If the PCI-DSS requirement is firm, as you imply, noncompliance would be a problem since compliance is a contractual obligation: good luck resolving that with the PCI auditors and credit card companies, or the courts. Noncompliance is less of an issue with advisory good-practice standards, including ISO27k and NIST SP800.
Kind regards,
The Other Gary
________________________________________________
Dr Gary Hinson PhD MBA CISSP
CEO of IsecT Ltd., New Zealand www.isect.com
Passionate about information risk and security awareness, standards and metrics
www.NoticeBored.comwww.ISO27001security.comwww.SecurityMetametrics.com
Iso 27001 Standard Free Download
--
You received this message because you are subscribed to the ISO27k Forum.
To post a message to ISO27k Forum, send an email to iso27001...@googlegroups.com or online through groups.google.com
For more information about ISO27k, visit www.iso27001security.com
Please respect the Forum's rules at www.iso27001security.com/html/forum.html#TipsAndEtiquette
---
You received this message because you are subscribed to the Google Groups 'ISO 27001 security' group.
To unsubscribe from this group and stop receiving emails from it, send an email to iso27001...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Effective date: April 22, 2021
To support delivery of our Services, Vanta Inc. may engage and use data processors with access to certain Service Data (each, a 'Subprocessor'). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the applicable agreement between Customer and Vanta (the 'MSA').
Third Parties
Vanta currently uses third party Subprocessors to provide infrastructure services, and to help Vanta provide customer support and email notifications. Prior to engaging any third party Subprocessor, Vanta performs diligence to evaluate their privacy, security and confidentiality practices and executes an agreement implementing its applicable obligations.
Microsoft Iso 27001
Infrastructure Subprocessors
Vanta may use the following Subprocessors to host Service Data or provide other infrastructure that helps with delivery of the Services:
Amazon Iso 27001
- Amazon Web Services, Inc. – Cloud Service Provider – United States
- MongoDB – Cloud Service Provider – United States
Other Subprocessors
Vanta may use the following Subprocessors to perform other Service functions:
- CircleCI
- Datadog
- Dropbox
- GitHub
- GSuite
- Sentry
- Slack
- Zendesk
Updates
The Subprocessors used by Vanta may change over time. Vanta will update this page with notice of any new or different Subprocessors as appropriate and necessary.