OASB
v1.0
Controls/Credential Protection/5.4
L2 StandardManual verification

5.4 Credential Rotation

5. Credential ProtectionHow do we protect secrets?

Description

Credentials MUST be rotated on a defined schedule (90 days maximum).

Rationale

Credential rotation limits the window of opportunity for attackers using stolen credentials.

Audit Procedure

1. Document all credentials and creation dates
2. Check for rotation policy
3. Verify rotation automation

Remediation

1. Implement automated credential rotation
2. Set maximum credential lifetime
3. Implement rotation alerts

Framework Mappings

CIS Control 5.2NIST PR.AC-1
Previous5.3 Credential Scope LimitationNext5.5 Secrets Not Logged