Security Spotlight: Password Complexity and Multi-Factor Authentication
December 20, 2022
Before your organization undergoes a System and Organization Controls (SOC) 2 examination, you may find yourself sorting through the various trust services criteria that will be covered. These criteria are set by the American Institute of Certified Public Accountants (AICPA) to ensure that your organization is maintaining best practices when it comes to security. Since cyber attacks are one of the leading risks for organizations today, the SOC 2 common criteria put a special focus on controls that prevent and detect cyber threats. This security spotlight focuses on two of these areas, password complexity and multi-factor authentication.
Password Complexity
Your organization likely uses many different programs and software to accomplish your goals. Many of these programs will require users to sign in using a password. Having password complexity requirements is important to minimize the risk of unauthorized access to company systems and applications. Password complexity requirements designate how many characters a password must have and whether it must include uppercase and lowercase letters, special symbols, or numbers.
Complex passwords are more difficult for hackers and malicious actors to guess. Having unique passwords for each account also adds security; in the event that one password is guessed, it cannot be used to get into other systems. Many organizations will include complexity and uniqueness requirements in an official password policy. This type of documentation can be helpful when demonstrating your organization’s commitments to security as part of the SOC 2 examination.
Multi-Factor Authentication
Another important logical security control is multi-factor authentication (MFA), which requires users to verify their identity through an additional method beyond just their username and password. This can include requiring them to enter a security code that is sent to their email or phone via text message, or using a third-party authenticator application (such as Google Authenticator).
MFA increases endpoint security by minimizing the likelihood of a breach. While a malicious actor may be able to steal a password, it is unlikely that they will also be able to steal your phone or otherwise bypass the MFA step needed to log in to secure systems.
Helping You Get There…
Password complexity and MFA requirements are just two controls that contribute to the security of your organization. To learn more about protecting yourself against cybersecurity threats, or to inquire about Boulay’s SOC 2 reporting services, contact a member of our Risk Advisory Group today.
Boulay provides the information in this article for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose.
More Recent Stories
Input your search keywords and press Enter.