The appropriately named Sarbanes-Oxley Compliance Toolkit includes a whole range of materials specifically put together to both introduce, and take you through this most important of legislation.
As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
The SOX email storage requirements can be fulfilled using the
GFI MailArchiver
SOX Advertisers
Sarbanes What?
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Posted: Mon Dec 14, 2009 12:11 pm Post subject: Administrator Password Expiration
Our auditors are trying to ding us for not setting our network administrator user ID password to automatically expire. We do in fact manually change the password every 60 days. It is not set to automatically expire since it may disrupt system functions. I have read other posts online regarding this issue but never really found an answer/explanation. I have also researched "best practices" and have not really found anything either. Any recommendations?
Joined: May 26, 2008 Posts: 187 Location: Switzerland
Posted: Tue Dec 15, 2009 2:02 am Post subject: Automatic expiration of network password
How may the expiration of a network password disrupt system functions? Can you explain this in further detail? Does any application do an automatic login with the administrator-ID and password or do you only do manual logins?
I guess the automatic expiration setting only forces the user the change the password at the first logon attempt that happens after the number of days since the last password change was made, but it does not render the account unusable before this login attempt.
If you manually change the password every 60 days anyhow, what keeps you from having the system enforce this practice?
Joined: Jan 12, 2006 Posts: 821 Location: Roanoke, Virginia
Posted: Fri Dec 18, 2009 10:54 am Post subject:
Hi - Yes, I'm familiar with this issue and particularly the need to change accounts tied to Windows services carefully.
Domain administrators should be able to participate in the password rotation process, as long as their accounts are not tied into Windows services for client/server jobs, etc. It's always been a best practice to use domain admin accounts just for the network techs access and to set up separate Windows accounts for jobs or Windows Services functions.
Rather than massively changing everything, I wonder if the auditors might compromise (oxymoron - lol), on changing just a few accounts to pilot a 60 day rotation process as a proof-of-concept to ensure everything will work well. Every user domain account that ties into a Windows job service could be converted to a new separate account (plus add a little documentation)
I do recall in a former company that user accounts were tied into critical services and it was so difficult to change, that the account had to be left in place.
Finally, the actual Administrator account on PCs and servers should be renamed or disabled in most cases. However, it should not be part of the password rotation cycle, as the password change may be invoked by a service rather than a person (and lockouts could occur).
Below are some links that might help in the research also:
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
