Cyber & IT Supervisory Forum - November 2023

Internal Use Only

Example Risk Acceptance/Mitigation Plans

Risk Mitigation Strategy/ Additional Controls needed

Comments/Results

Status

1. Update Network users to minimum password length of 12 a. Update Network Password parameters b. Send out communication to all network users that on next password change, the minimum length will now be 12 characters Etc. Responsible Individual(s): We will identify any remaining application systems that contain sensitive data and determine the feasibility of adding this process to those applications. Etc. Responsible Individual(s):

We recommend increasing password minimum length on the Active Directory network and Spectrum core application to 10 ‐ 12 characters for general user accounts, and at least 15 characters for privileged accounts such as administrators.

Verified

This process is followed for most application systems, but not all. Implement for any remaining application systems that contain access to sensitive data.

Open

17

17

Internal Use Only

Key Overall Risk Assessment Concepts

Unwritten vs. internally developed vs. purchased

How often are updates made to the assessment?

18

18