PN-4407 (to be published as TIA/EIA TSB-110
A password shall be used as a means of authenticating RG access. The following requirements may apply:
A valid password should be an alphanumeric character string of 5-10 characters.
Passwords should be stored in encrypted forms using standard encryption algorithms.
Password management should enable password aging and stipulate the time period of
5.4.2 Access Control
A means shall be provided to prevent unauthorized access to RG functions. The RG’s owner shall have the ability to enable or disable security functions under owner's control. Service providers shall have the ability to enable or disable security functions pertaining to their services.
188.8.131.52 Inactivity Time-out Function
While performing security-protected functions, a means shall be provided to log off any user identifier after a predetermined period of inactivity. The ability to establish the time-out period and enable or disable its function shall be provided. This time interval may vary depending on the type of function being performed (e.g., monitoring).
The interfaces between the service provider's Network Interface Devices (see Nat'l Electrical Code) and the RG equipment should be governed by an appropriate interface agreement. While no security risks are involved in the absence of such an agreement, inadequate or incomplete agreement may affect the overall service reliability. For example, administrative responsibilities may be left ambiguous, or hand-offs between the RG administrator and the NID administrator may be ill-defined, leading to the possibility of service failures. In such a situation the interface agreement becomes necessary, and its existence should be ensured at whatever cost. Along these lines a responsibility boundary should be defined between all users of the RG and the service providers. These are subjects for future study by TR41.5
184.108.40.206 User System Access Security
The OS shall provide a means of accurate record keeping and non-repudiation (e.g., “I did not do it”). At a minimum these records shall include:
A record of all successful attempts by user identifiers and all disabled user identifiers. This record includes the date, the time, the user identifier and the activity.
A record of deleted and/or deactivated user identifiers. This record includes the date, the time, the user identifier.
A record of user identifiers that have been inactive for 30 days.