[Code of Federal Regulations]
[Title 27, Volume 2]
[Revised as of April 1, 2007]
From the U.S. Government Printing Office via GPO Access
[CITE: 27CFR73.12]

[Page 385]
 
            TITLE 27--ALCOHOL, TOBACCO PRODUCTS AND FIREARMS
 
 CHAPTER I--ALCOHOL AND TOBACCO TAX AND TRADE BUREAU, DEPARTMENT OF THE 
                                TREASURY
 
PART 73_ELECTRONIC SIGNATURES; ELECTRONIC SUBMISSION OF FORMS--Table of 
 
                     Subpart B_Electronic Signatures
 
Sec.  73.12  What security controls must I use for identification codes and 

passwords?

    If you use electronic signatures based upon use of identification 
codes in combination with passwords, you must employ controls to ensure 
their security and integrity. These controls must include:
    (a) Maintaining the uniqueness of each combined identification code 
and password, such that no two individuals have the same combination of 
identification code and password;
    (b) Ensuring that identification code and password issuances are 
periodically checked, recalled, or revised (e.g., to cover such events 
as password aging);
    (c) Following loss management procedures to electronically 
deauthorize lost, stolen, missing, or otherwise potentially compromised 
tokens, cards, or other devices that bear or generate identification 
code or password information, and to issue temporary or permanent 
replacements using suitable, rigorous controls;
    (d) Using transaction safeguards to prevent unauthorized use of 
passwords and/or identification codes, and to detect and report in an 
immediate and urgent manner any attempts at their unauthorized use to 
the system security unit and, as appropriate, to organizational 
management; and
    (e) Initial and periodic testing of devices, such as tokens or 
cards, that bear or generate identification code or password information 
to ensure that they function properly and have not been altered in any 
unauthorized manner.