National Institute of Standards and Technology (NIST) Secure Password Guidelines
The National Institute of Standards and Technology, otherwise known as NIST, is a physical sciences laboratory and non-regulatory agency of the United States Department of Commerce. NIST was created to promote innovation and industrial competitiveness in certain industries such as information technology, nanoscale science and technology, and engineering. NIST has been named to lead the development of appropriate technical standards for reliable, robust, trustworthy, secure, portable, and interoperable AI systems by the American AI Initiative. In June of 2017, NIST published guidelines for ideal requirements for protecting one’s digital identity.
Characteristics of Secure and Strong Passwords
According to NIST’s secure password guidelines, there are certain password factors that are recommended for better security. Some of these guidelines are:
- Minimum eight characters with a suggested maximum of 64 characters
- Ability to use special characters (e.g.?&!@)
- Restriction of repetitive or sequential characters (e.g. abcde or 1111)
- Restriction of context specific phrases (e.g. email or username)
- Restriction of commonly used passwords or passwords obtained from previous breach corpuses
The restriction of various password phrases is important since predictable passwords are likely to be guessed by hackers. Such passwords and phrases are compared against a black list of unacceptable passwords and denied if they match up to those predefined conditions. A black list usually consists of simple dictionary words, previous passwords, and specific words and phrases that tie to the organization or service.
Random Characters Do Not Equal Strong Passwords
NIST suggests strong passwords are something unique that one will remember but someone else cannot guess. Contrary to past popular belief, passwords with mixed upper and lower case letters, number and special characters are not suggested anymore but rather having complex, memorable phrases such as “house kangaroo 28 card ticket” where the phrase itself does not make sense as a sentence but can be pictured in your mind.
In addition to strong passwords, controls surrounding passwords are equally important. Even though the new guidelines rely less on length and complexity, lockout after repeated failed attempts should be set in order to prevent numerous efforts that could be signs of a hacking attempt. Another control should be password history restriction that do not let personnel use the same password as any of their previous passwords because those passwords may have been compromised.
For more information about secure password guidelines, check out the NIST website focused on information technology publications. To learn more about our risk consulting services, contact Katelyn.Crowley@freedmaxick.com, connect with me here, or call 716.362.6281.
More Insights and Guidance on Cybersecurity Issues - Click here.View full article
If your organization is looking to reduce its costs with IT assets, you should consider implementing an IT asset management (ITAM) system. Tracking your organization's IT assets is an effective way to reduce unnecessary spending on software licenses and IT infrastructure. This can eliminate the purchase of assets your organization already owns, utilize your organization's current assets more efficiently, and be better prepared for the replacement of old devices or expiration of software licenses.
Building your organization's IT asset management goals
Before implementing an ITAM system within your organization, you should first determine your organization's goals. It is critical to identify specific objectives and desired outcomes to assist you in developing a system of measurement to align with these objectives. Take a moment to list what you would like to achieve with your ITAM system and rate these achievements to determine what is most critical to your organization.
Determining your system of IT asset measurement
Once you have established your desired IT asset management goals, it is important to choose key performance indicators (KPIs) that measure the progress toward achieving your goals. This will help your organization evaluate the adequacy of its ITAM system. For instance, if your organization would like to emphasize software license compliance, your organization could track licenses by expiration date or the ratio of used purchased licenses to unused purchased licenses.
Using an effective measurement system not only assists in tracking assets but also provides beneficial information for future decision-making. As you strategize your ITAM system, be mindful of choosing logical metrics that correlate with your goals. Consider the following ways an ITAM system could provide value to your organization and the potential metrics that could be used for:
- Defining an IT budget by tracking asset costs
- Reducing discrepancies to the IT environment by identifying assets that cause service failures
- Optimally employing existing resources by identifying users with multiple workstations.
Establishing an IT asset repository
If there is uncertainty with where to begin in implementing your ITAM system, start by establishing a full IT asset repository. No matter the size of your organization, it is best practice to track your organization's IT assets to reduce the risk of not discovering lost or stolen assets. When deciding how your organization will maintain a repository, acknowledge who will be responsible for updating the listing, as well as how the process can be integrated into your existing IT service support management and change management systems. Be sure your organization's repository incorporates all relevant IT assets, including:
- Hardware and software
- Network and communication infrastructure, servers, and applications
- Mobile devices
- Cloud assets
For each item in the repository, be sure to include the following relevant information as well as any additional critical metrics you identified previously to measure the progress toward achieving your organization's goals.
Model and serial numbers
Maintenance, repair, change, and upgrade information
If your organization must comply with industry regulatory requirements such as HIPAA and PCI, it may be useful to record where critical or sensitive data is stored to increase the efficiency of audits.
ITAM throughout the IT Asset Life Cycle
ITAM is more than just maintaining a listing of assets; it extends to processes in each step of an asset's life cycle. The IT asset life cycle is a series of stages that an asset goes through during an organization's ownership, from requisition to retirement/disposal. In order to establish and maintain a robust ITAM system, your organization should consider the processes and controls in place surrounding each stage in the cycle.
- IT Asset Requisition
During the asset requisition stage, controls should focus on the proper authorization of asset purchases. The authorizing person or group should reference the asset repository to check if a requested item is actually available to avoid unnecessary purchases and confirm that the requested item is compatible with company policies.
- IT Asset Procurement and Receipt
In the procurement and receipt stage, orders should be placed only to approved vendors, and vendor lists should be reviewed periodically to avoid purchases from unauthorized vendors. The IT asset manager should anticipate delivery times and verify that new assets are logged either upon delivery or before releasing to the user.
The receiving department’s manager is responsible for reconciling received assets with original requests to ensure that delivered equipment that is faulty or that does not match the purchase order is returned to the supplier and not added to the asset repository. The receiver should also assign a unique identifier for the asset as communicated by the asset manager. At this point, the asset should be recorded in the asset repository with relevant information covered in the previous section. The IT technician then schedules installation, as needed.
- IT Asset Deployment
The deployment stage puts the asset to use. The asset repository should be correct prior to the deployment of equipment to users. The IT technician is responsible for installing IT equipment for the user and making sure it is configured and ready for use. The user should receive training on how to use the asset, with additional training available, if needed. Employees should sign an acceptance form for the equipment once it is delivered. This form should be recorded or kept in the user's personal HR record so that equipment can be retrieved if the individual leaves the organization. If an asset was previously deployed to a different user, a process should be in place to wipe information from that asset before cascading to the new user.
- IT Asset Maintenance
Asset management is a continual process. As such, ensure that your organization consistently follows its ITAM policy as your assets go through maintenance, repairs, and changes. A clear policy should be documented to cover what changes are acceptable, who is responsible for authorizing changes, and what action will be taken if the organization's procedures are not followed. Significant maintenance, repairs, or changes surrounding IT assets should be recorded in the asset repository prior to releasing equipment.
Your organization should have regular audits of its databases and workstations, as well as regular reviews of systems and procedures with recommendations for improvements, where necessary. Consider the legal and regulatory requirements in terms of software licenses and contractual issues, such as maintenance contracts, insurance contracts, and lease contracts.
- IT Asset Retirement/Disposal
Eventually, it will be time to dispose of or retire your assets. Ideally, the replacement of assets is planned and not as a consequence of an item suddenly ceasing to function. Any addition to your asset repository leads old equipment out. A process should be in place to wipe company information from an asset prior to disposal using a professional third-party.
When equipment is re-issued to a user, old equipment should be removed at the time of issuing new equipment. A return form should be completed, with a copy sent to HR for the employee's record. The employee's manager is typically responsible for the return of equipment.
ITAM can seem like a daunting process. It is important to initiate the process with a plan based on the needs of your organization. Avoid getting bogged down by too many details by only tracking information that will be most useful to decision-making in your organization.
Connect with a Freed Maxick IT Asset Management Consultant
If you are interested in establishing an ITAM system for your organization, or improving your organization’s controls surrounding the IT asset life cycle, our Risk Advisory Services team can work with you. Our internal control consultants will conduct an examination of your organization's ITAM system to identify weak areas. We can recommend the appropriate level of control for your organization and develop systems to monitor, assess and update those controls.
For more information regarding how Freed Maxick can help, please call 716.847.2651 or contact us here.View full article
Three Borrower Traits Asset Based Lenders Need to Recognize in their Loan Portfolio
Author: Ashley Trexler, Supervising Field Examiner
If a borrower possesses significant fixed assets, owns its real estate, or operates several lines of business, you may be exposing your bank to unnecessary risk. To avoid that situation, be sure you review your loan portfolio for clients with certain traits.
Commercial property ownership can be quite risky, especially for retailers. Why? Because the store’s owner can be held liable for crimes or accidents that occur on the site if a victim proves there’s inadequate security.
Liability insurance can help mitigate losses. But many policies may be based on outdated business appraisals, and damages might exceed the borrower’s coverage.
For an added layer of protection, borrowers may want to create a separate legal entity for their real estate ventures. That way they can lease the property to the operating business at a fair market value. The same will hold true for businesses with significant fixed assets.
Doing so will protect the operating business entity from property liability claims. The real estate venture can still be pledged as collateral for loans to the operating entity.
Suppose a dry cleaning establishment diversifies and explores the health food market. If the experiment doesn’t work, it will drag down the dry cleaning business (or vice versa). If the borrower sets up a separate legal entity for each business segment, however, the borrower will not only limit its “spillover liability,” but it will also allow for more flexibility in the ownership structure. Keeping things separate from the get-go — with separate bank accounts and balance sheets — can be quite helpful if the owners subsequently decide to sell or seek additional financing.
If a family business wants to transfer wealth to subsequent generations, the company will likely benefit from establishing separate legal entities. For example, suppose an operating business carves out its real estate into an LLC or a trust. Those who are active in the operating business are “gifted” interests in the company. Passive heirs are then given pieces of the real estate venture.
This setup serves several goals beyond limiting liability. First, the parents can use the annual gift tax exclusion ($14,000 in 2013) and the lifetime unified credit ($5.25 million in 2013) to gradually lower their taxable estate. Gifts are typically discounted for marketability and lack of control.
Second, those who are active in the business will get a stake in something they can directly impact — the value of the operating business. Passive investors will have access to a steady income stream. Plus, the family will be able to minimize its overall tax liability if the children are in a lower tax bracket.