Compliance standards

---

This report provides an overview of the compliance to industry standards for every policy. Every standard has different criteria for authentication.

Compliance indicators

The Password Policy Compliance report lists compliance with industry standards for every policy by means of indicators.

• Red: non-compliance. The policy does not meet any of the criteria set out by the standard.
• Yellow: partial compliance. The policy meets some but not all of the criteria set out by the standard.
• Green: full compliance. The policy meets all criteria set out by the standard.

Viewing compliance with individual standards

1. Click on any of the compliance indicators
2. A table is shown with each row representing a rule in the standard, the current policy's setting for that rule, and the standard's requirement.

Adjusting compliance overview

You can show or hide any columns in the overview.

1. Click the Select dropdown
2. Remove the checkmark next to the standard you want to hide or put a checkmark next to it to show it again.

Entropy

The entropy column is not specifically related to the outlined compliance standards. Instead, it is a measure of how “strong” the passwords allowed by the different policies are.

---

Specops Password Auditor provides support for the following standards:

• NIST
• PCI V4
• CJIS
• HITRUST
• NCSC
• BSI
• ANSSI
• CNIL

NIST

Description

The National Institute of Standards and Technology (NIST) sets the information security standards for federal agencies in the United States.

With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement is an important component to NIST recommendations.

With Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.

PCI V4

Description

Payment Card Industry Data Security Standards (PCI DSS) is a set of standards and guidelines for companies to manage and secure credit card related personal data. It’s a global standard established by the major credit card companies – Visa, Mastercard, and American in an effort to protect credit card data from theft.

The PCI-DSS requirements are heavily focused around the makeup of passwords, and can be easily achieved with a third-party password policy tool, such as Specops Password Policy.

If you wish to protect against modern password attacks, you can make use of Specops Password Policy’s custom dictionary to prevent the use of passwords common to your organization. With Specops Breached Password Protection, you can block the use of over 3 billion compromised passwords.

CJIS

Description

The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) — for example, fingerprint records and criminal histories.

Law enforcement and other government agencies in the United States must ensure that their use of cloud services for the transmission, storage, or processing of CJI complies with the CJIS Security Policy, which establishes minimum security requirements and controls to safeguard CJI.

The CJIS Security Policy outlines two sets of password standards – Basic and Advanced. The report here shows how password policies compare against the Basic standard.

HITRUST

Description

The Health Information Trust (HITRUST) is a framework that provides a way to comply with the often vague standards that apply to the healthcare industry in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA).

NCSC

Description

The National Cyber Security Centre (NCSC) is an organization of the UK government whose approved accreditation scheme, Cyber Essentials, provides a standardized baseline for cyber security policies, controls, and technologies.

With a heavy emphasis on simplifying passwords for users, and placing the burden on authentication systems, dictionary enforcement and encouraging the use of passphrases are important components of the UK standard.

With Specops Password Policy, you can create your own dictionary to block words common to your organization or use Breached Password Protection to block the use of over 3 billion compromised passwords.

BSI

Description

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) is an agency responsible for information security for the German federal government.

The BSI is also the central certification body for IT systems. This means that any IT product or system that is to be used by the federal government, must meet the security standards of the BSI.

ANSSI

Description

The National Agency for the Security of Information Systems (ANSSI) is France's national authority charged with supporting and securing the development of digital technology.

The ANSSI security standard includes several password recommendations including checking against a list of known compromised passwords and encouraging the use of passphrases.

CNIL

Description

Data privacy has become a priority for global businesses due to sweeping regulations such as the General Data Protection Regulation (GDPR). At the same time, other regulatory bodies continue to enforce local data privacy laws. In France, for example, the data protection authority is the Commission nationale de l’informatique et des libertés (CNIL).

The CNIL provides cybersecurity guidance related to collecting, storing, and using personal data. Naturally, securing passwords is an important part of the guidance.