Password Changes—11.300 (b)
- Last UpdatedDec 13, 2016
- 1 minute read
"(b) Ensuring that identification code and password issuances are periodically checked, recalled, or revised (e.g., to cover such events as password aging)."
Identification codes should be disabled for users that are no longer allowed access to a system. Users should be periodically reviewed to ensure they are currently assigned to the correct user groups as many systems grant access or permissions based on membership in defined user groups. These types of changes are often due to change in roles or separation from the company. Whatever method is applied, the procedures should not jeopardize the integrity of signatures already executed which means it may not be possible to completely remove a user from the system.
Passwords are commonly required to be periodically changed in an effort to minimize the likelihood an ID-password combination can be compromised. This generally accepted practice is especially important in ER/ES systems. Additional rules, such as password cannot be changed to be the same as the user ID, passwords cannot be reused or reused within a specific time period, and others should also be considered to protect the integrity of passwords.