IAM.2.02_password_authentication.html.md 1.96 KB
Newer Older
1
---
2
layout: handbook-page-toc
3 4 5 6
title: "IAM.2.02 - Password Authentication Control Guidance"
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11 12 13 14

# IAM.2.02 - Password Authentication

## Control
15
User and device authentication to information systems is protected by passwords that meet GitLab's [password policy guidelines](/handbook/security/#gitlab-password-policy-guidelines) as outlined in the Employee Handbook.
16 17 18 19 20 21 22

## Context

By ensuring passwords are implemented when and where appropriate, sensitive and valuable data is protected from unauthorized access and use. Enforcing GitLab's password complexity requirements further protects that data by reducing the risk of brute force and dictionary attacks that aim to guess user passwords.

## Scope

Luka Trbojevic's avatar
Luka Trbojevic committed
23
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
24 25 26

## Ownership

Luka Trbojevic's avatar
Luka Trbojevic committed
27
* Control Owner: `IT Ops`
Luka Trbojevic's avatar
Luka Trbojevic committed
28
* Process owner(s): 
Luka Trbojevic's avatar
Luka Trbojevic committed
29
    * IT Ops
30

31
## Additional control information and project tracking
32

Jeff Burrows's avatar
Jeff Burrows committed
33
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Password Authentication control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/813).
34

Luka Trbojevic's avatar
Luka Trbojevic committed
35 36 37 38 39
Examples of evidence an auditor might request to satisfy this control:

* Copy of GitLab's password policy and the Okta/1Password handbook entries
* Samples of service minimum password requirements, especially for Okta, which manages identify for many SaaS services used by GitLab

Luka Trbojevic's avatar
Luka Trbojevic committed
40 41
### Policy Reference

42
[Password Policy Guidelines](/handbook/security/#gitlab-password-policy-guidelines)
43

44 45 46
## Framework Mapping

* SOC2 CC
47
  * CC.5.2
48 49 50 51 52 53 54 55 56 57
  * CC6.1
  * CC6.6
  * CC6.7
* PCI
  * 8.2
  * 8.2.3
  * 8.2.4
  * 8.2.5
  * 8.2.6
  * 8.6