Industry-Specific Compliance Requirements
Industry-Specific Compliance Requirements
Different industries impose specific password security requirements beyond general frameworks. Healthcare organizations must comply with HIPAA Security Rule, financial institutions follow PCI DSS requirements, and government contractors implement FISMA controls. While these standards share common themes, each has unique requirements that impact password system design.
PCI DSS requires especially stringent password controls for systems handling payment card data. Requirements include minimum 7-character passwords with complexity, 90-day rotation for administrative accounts, account lockout after 6 attempts, and unique passwords for each user. While some requirements conflict with modern NIST guidance, organizations must implement them for compliance while finding ways to maintain usability.
from enum import Enum
from datetime import datetime, timedelta
import re
class ComplianceFramework(Enum):
PCI_DSS = "pci_dss"
HIPAA = "hipaa"
SOX = "sox"
ISO_27001 = "iso_27001"
SOC2 = "soc2"
class MultiFrameworkCompliance:
"""Handle multiple compliance framework requirements"""
def __init__(self, frameworks: List[ComplianceFramework]):
self.frameworks = frameworks
self.requirements = self._load_requirements()
def _load_requirements(self) -> Dict:
"""Load requirements for each framework"""
return {
ComplianceFramework.PCI_DSS: {
'min_length': 7,
'complexity_required': True,
'rotation_days': 90,
'lockout_attempts': 6,
'lockout_duration': 30, # minutes
'history_count': 4, # can't reuse last 4 passwords
'two_factor': True, # for admin access
'encryption': 'industry_standard',
'logging': 'comprehensive'
},
ComplianceFramework.HIPAA: {
'min_length': 8,
'complexity_required': True,
'rotation_days': 180, # Recommended, not required
'lockout_attempts': 5,
'lockout_duration': 30,
'history_count': 6,
'two_factor': False, # Recommended for ePHI
'encryption': 'required',
'logging': 'audit_trail',
'unique_user_id': True,
'automatic_logoff': 30 # minutes
},
ComplianceFramework.SOX: {
'min_length': 8,
'complexity_required': True,
'rotation_days': 90,
'lockout_attempts': 3,
'lockout_duration': 60,
'history_count': 12,
'two_factor': True, # For financial systems
'encryption': 'required',
'logging': 'comprehensive',
'segregation_of_duties': True,
'privileged_access_management': True
},
ComplianceFramework.ISO_27001: {
'min_length': 8,
'complexity_required': True,
'rotation_days': None, # Risk-based
'lockout_attempts': 5,
'lockout_duration': 30,
'history_count': 5,
'two_factor': False, # Risk-based
'encryption': 'appropriate',
'logging': 'security_events',
'risk_assessment': True,
'access_review': 'annual'
}
}
def get_strictest_requirements(self) -> Dict:
"""Combine requirements taking strictest from each framework"""
combined = {
'min_length': 8,
'complexity_required': False,
'rotation_days': None,
'lockout_attempts': float('inf'),
'lockout_duration': 0,
'history_count': 0,
'two_factor': False,
'checks': []
}
for framework in self.frameworks:
reqs = self.requirements[framework]
# Take strictest values
combined['min_length'] = max(combined['min_length'],
reqs['min_length'])
combined['complexity_required'] = (combined['complexity_required'] or
reqs['complexity_required'])
if reqs.get('rotation_days'):
if combined['rotation_days']:
combined['rotation_days'] = min(combined['rotation_days'],
reqs['rotation_days'])
else:
combined['rotation_days'] = reqs['rotation_days']
combined['lockout_attempts'] = min(combined['lockout_attempts'],
reqs['lockout_attempts'])
combined['lockout_duration'] = max(combined['lockout_duration'],
reqs['lockout_duration'])
combined['history_count'] = max(combined['history_count'],
reqs.get('history_count', 0))
combined['two_factor'] = combined['two_factor'] or reqs['two_factor']
# Track which framework requires what
combined['checks'].append({
'framework': framework.value,
'requirements': reqs
})
return combined
def validate_password(self, password: str,
username: str = None) -> Tuple[bool, Dict]:
"""Validate password against all framework requirements"""
requirements = self.get_strictest_requirements()
issues = []
compliance_status = {}
# Check each framework
for framework in self.frameworks:
framework_issues = []
reqs = self.requirements[framework]
# Length check
if len(password) < reqs['min_length']:
framework_issues.append(
f"Minimum {reqs['min_length']} characters required"
)
# Complexity check
if reqs['complexity_required']:
if not self._check_complexity(password, framework):
framework_issues.append(
"Must contain uppercase, lowercase, number, and symbol"
)
compliance_status[framework.value] = {
'compliant': len(framework_issues) == 0,
'issues': framework_issues
}
issues.extend(framework_issues)
return len(issues) == 0, {
'overall_compliant': len(issues) == 0,
'issues': list(set(issues)),
'framework_status': compliance_status,
'applied_requirements': requirements
}
def _check_complexity(self, password: str,
framework: ComplianceFramework) -> bool:
"""Check password complexity for specific framework"""
if framework == ComplianceFramework.PCI_DSS:
# PCI DSS: Must contain both letters and numbers
has_letter = bool(re.search(r'[a-zA-Z]', password))
has_number = bool(re.search(r'\d', password))
return has_letter and has_number
else:
# Most frameworks: upper, lower, number, special
has_upper = bool(re.search(r'[A-Z]', password))
has_lower = bool(re.search(r'[a-z]', password))
has_number = bool(re.search(r'\d', password))
has_special = bool(re.search(r'[!@#$%^&*(),.?":{}|<>]', password))
# Usually require 3 out of 4
return sum([has_upper, has_lower, has_number, has_special]) >= 3
def generate_compliance_report(self) -> str:
"""Generate compliance requirements report"""
report = "Password Compliance Requirements Summary\n"
report += "=" * 50 + "\n\n"
requirements = self.get_strictest_requirements()
report += f"Minimum Length: {requirements['min_length']} characters\n"
report += f"Complexity Required: {'Yes' if requirements['complexity_required'] else 'No'}\n"
if requirements['rotation_days']:
report += f"Password Rotation: Every {requirements['rotation_days']} days\n"
report += f"Account Lockout: After {requirements['lockout_attempts']} attempts\n"
report += f"Lockout Duration: {requirements['lockout_duration']} minutes\n"
report += f"Password History: Cannot reuse last {requirements['history_count']}\n"
report += f"Two-Factor Required: {'Yes' if requirements['two_factor'] else 'No'}\n"
report += "\nFramework-Specific Requirements:\n"
for framework in self.frameworks:
report += f"\n{framework.value.upper()}:\n"
reqs = self.requirements[framework]
for key, value in reqs.items():
report += f" - {key}: {value}\n"
return report