|IA-4 (1) Prohibit Account Identifiers As Public Identifiers || |
Prohibiting the use of information systems account identifiers that are the same as some public identifier such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers on organizational information systems.
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.
|IA-4 (2) Supervisor Authorization || |
The organization requires that the registration process to receive an individual identifier includes supervisor authorization.
|IA-4 (3) Multiple Forms Of Certification || |
Requiring multiple forms of identification reduces the likelihood of individuals using fraudulent identification to establish an identity, or at least increases the work factor of potential adversaries.
The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.
|IA-4 (4) Identify User Status || |
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the status of individuals by specific characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.
The organization manages individual identifiers by uniquely identifying each individual as Assignment: organization-defined characteristic identifying individual status.
|IA-4 (5) Dynamic Management || |
In contrast to conventional approaches to identification which presume static accounts for preregistered users, many distributed information systems including, for example, service-oriented architectures, rely on establishing identifiers at run time for entities that were previously unknown. In these situations, organizations anticipate and provision for the dynamic establishment of identifiers. Preestablished trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.
The information system dynamically manages identifiers.
|IA-4 (6) Cross-Organization Management || |
Cross-organization identifier management provides the capability for organizations to appropriately identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.
The organization coordinates with Assignment: organization-defined external organizations for cross-organization management of identifiers.
|IA-4 (7) In-Person Registration || |
In-person registration reduces the likelihood of fraudulent identifiers being issued because it requires the physical presence of individuals and actual face-to-face interactions with designated registration authorities.
The organization requires that the registration process to receive an individual identifier be conducted in person before a designated registration authority.