As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - IT - Password Control - Deficiencies
Posted: Wed Aug 15, 2007 6:29 am Post subject: Wavers
I've read the threads for password resets but I would like to know what the Sarbox states regarding specific admin accounts (Oracle DBA SYS and SYSTEM accounts) and if their are any wavers (derogations) to this. Is it possible for a company to not activate the logon and logoff audits in Oracle and therefore waver this also? If so, I must assume that a company has justifying evidence regarding this decision where if something does happen, this document would be proof against them as having wavered their right to defend in court (worst case scenario).
Joined: Nov 25, 2004 Posts: 790 Location: London, UK
Posted: Wed Aug 15, 2007 8:51 am Post subject: Re: Wavers
I would like to know what the Sarbox states regarding specific admin accounts (Oracle DBA SYS and SYSTEM accounts) and if their are any wavers (derogations) to this.
Sarbox states absolutely nothing about this.
One needs to apply judgement within a methodolgy that supports your system of internal control. _________________ "The art of life is to deal with problems as they arise, rather than destroy one's spirit by worrying about them too far in advance" - Cicero
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Thu Aug 16, 2007 12:31 pm Post subject:
Hi - I agree with Denis, as SOX doesn't cover specifics like password settings at a granuluar level. SOX 404 requires management to ascertain their IT financial systems, security, and related workflows using a risk management approach, that is complemented using controls testing.
However, many external auditors use COBIT 4 standards to gauge SOX 404 compliancy and this document is available as a free download.
Joined: May 26, 2008 Posts: 187 Location: Switzerland
Posted: Thu May 28, 2009 5:57 am Post subject: Minimum password length and password cracking
The time it takes to crack a password depends on many factors:
1) is a human manually typing in the passwords or is a program automatically doing it
2) are the passwords typed into the application input window that the password protects or do you have access to the encrypted file that stores the users' passwords and know the encryption or hash algorythm
3) the automatically enforced password rules for minimum length and required diversity of passwords (lower case, upper case, numbers, special characters
4) the fact that users tend to use passwords that they can easily remember so that cracking programs can use dictionaries and reduce the number of combinations that are actually used in practice.
5) after how many unsuccessful password attempts in a given time period a user account is blocked for further attempts
If a cracking program needs to simulate keystrokes being typed in an application and if the system limits the speed of processing such keystrokes (which can be much slower than the raw processing power of the CPU) then your cracking time will increase.
Point number five is actually the most important one if the cracker does not have access to the enrypted password file. If the number of login attempts until blocking is three and if the investigative process to unblock user accounts involves contacting the user and verifying that it was him that made the unsuccessful attempts, then cracking has almost no chance unless passwords are extremely weak.
All times are GMT - 6 Hours Goto page Previous1, 2, 3, 4
Page 4 of 4
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.