No mandatory rotation without compromise
Demonstrate that credential lifecycle policies do not mandate time-based rotation absent indicators of compromise, and that credential strength and monitoring compensate for extended validity periods.
Description
What this control does
This control prohibits the mandatory, time-based rotation of cryptographic credentials (passwords, API keys, certificates, secrets) unless evidence of compromise exists. Forced periodic rotation without cause increases operational risk by encouraging weaker credential selection, insecure storage practices, and reduced change control discipline. Modern cryptographic best practices favor long, randomly-generated credentials protected by detection mechanisms over arbitrary rotation schedules that create friction without commensurate security benefit.
Control objective
What auditing this proves
Demonstrate that credential lifecycle policies do not mandate time-based rotation absent indicators of compromise, and that credential strength and monitoring compensate for extended validity periods.
Associated risks
Risks this control addresses
- Users select weaker, predictable credentials when forced to rotate frequently, reducing entropy and facilitating brute-force attacks
- Frequent rotation incentivizes insecure storage practices such as plaintext documentation, sticky notes, or shared spreadsheets to manage change fatigue
- Automated service credentials rotated without proper orchestration cause unplanned application outages and service disruptions
- Change fatigue from mandatory rotation reduces scrutiny of actual compromise indicators, masking legitimate credential theft in routine activity
- Stale or orphaned credentials accumulate when rotation processes lack decommissioning workflows, expanding attack surface
- Emergency rotation procedures atrophy when routine rotation dominates operational focus, delaying response to actual breaches
- Compliance theater replaces substantive controls when organizations prioritize rotation schedules over credential strength and detection capabilities
Testing procedure
How an auditor verifies this control
- Obtain all formal credential management policies, identity governance standards, and password policy configuration documents applicable to workforce accounts, service accounts, and API keys.
- Review each policy document to identify any clauses requiring mandatory rotation based solely on elapsed time intervals (e.g., '90-day password expiration', 'quarterly API key rotation').
- Extract configuration exports from identity providers, directory services, and privileged access management platforms to verify enforcement settings for password expiration, credential lifetime, and forced-change intervals.
- Select a representative sample of 15-20 credentials spanning user passwords, service account keys, API tokens, and certificates with validity periods exceeding 90 days.
- For each sampled long-lived credential, verify compensating controls: minimum entropy requirements (length, complexity), multi-factor authentication enrollment, anomaly detection logging, and breach monitoring integration.
- Interview identity and access management personnel to confirm that credential rotation procedures exist specifically for compromise response scenarios, including playbooks, communication templates, and emergency contact lists.
- Review incident response logs and change management tickets from the past 12 months to verify that actual rotation events correlate with security events (compromises, departures, role changes) rather than calendar triggers.
- Validate that detection mechanisms (SIEM rules, identity threat detection, failed authentication alerting) actively monitor credential usage patterns to identify anomalies that would trigger investigation-driven rotation.
Where this control is tested