About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
IA-4 - Identifier Management
Control requirements
IA-4 (a)
Manage system identifiers by: Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier.
IA-4 (b)
Manage system identifiers by: Selecting an identifier that identifies an individual, group, role, service, or device.
IA-4 (c)
Manage system identifiers by: Assigning the identifier to the intended individual, group, role, service, or device.
IA-4 (d)
Manage system identifiers by: Preventing reuse of identifiers for [IBM Assignment: at least two (2) years].
Additional IBM Cloud for Financial Services specifications
The organization must disable the identifier after 90 days of inactivity.
The organization must follow customer requirements when establishing customer identifiers including:
- aligning with customer email address or unique number corresponding to a user
- prohibiting the use of Social Security Numbers (SSN) or customer-specific identifiers in the organization's internal environment
NIST supplemental guidance
Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.