Password policy - question 1595



  • At present my company does not have a policy that forces the users to change their passwords nor is the domain admin policy ever changed. We were able to pass this by the auditors since we do have a lockout policy after 3 failed attempts as well as a good IDS in place.
    However I also just found out that while we do have a strong password policy in place for ‘new’ users ( accounts who have been created after 2004) the ‘old’ users are ‘grand-fathered’ in keeping their old passwords that can be pretty much anything from their name to the word password. I was pretty shocked that this was not red flagged by the auditors but it would seem to me this is not even a subjectice issue. It would appear to me a pretty serious deficiency.
    Can anyone site SPECIFIC laws or portions of the Sarbanes Oxley act that would back up this stance?
    Thanks for any thoughts.



  • Hi and welcome 🙂 … While the SOX 404 standards are generically written, they place the responsiblity on companies to ensure that best practices are in when it comes to IT security and controls. It’s a process that’s measured and ‘signed off by’ internal and external audit measurements annually.
    In particular, the COBIT 4.0 framework is preferred by most audit firms as a guideline for companies to adhere to in meeting SOX IT compliancy. I’d recommend thoroughly reviewing this as a starting point. You can search on Passwords and other security related items in the link below:
    COBIT Home Page – please add ‘www’
    isaca.org/Template.cfm?Section=COBIT6
    On the password issues, I’d recommend changing this in the coming months, even if it’s not specifically required for SOX compliancy). Unfortunately, passwords can sometimes be the only safeguard for keeping the ‘bad guys’ or other unauthorized users out of your systems. IDS and password lockout rules can help, but I wouldn’t want to rely on this alone as ‘password’ might be the 1st thing tried as it’s most commonly used 😉
    Some other suggestions:

    1. Set up an annual program to change all ADMIN passwords and change relevant ADMIN passwords, if an ADMIN leaves the company
    2. Run security measurement software (e.g., STAT, MSBA 2.0, RealSecure, KSA, etc), to assess password strength and identify all weak accounts.
    3. Work with users on weak accounts and through security awareness, have them change it to stronger controls
    4. Establish a password rotational program (90 or 120 days is better than nothing)
    5. With GPO rollout enhanced account protection mechanisms to client PCs (after good pilot testing). Microsoft Technet site offers some good guidelines
    6. For highly sensitive applications, look at two-factor security controls (e.g., SecureID, smart cards, etc).
    7. Make sure the password reset process used by the Help Desk employs PIN# and other safeguards for remote workers.
      Good luck 🙂


  • Password management is one of the basic steps for a good security enviroment. So, change them and start a security awareness program for your users.
    Regarding, if it’s a deficiency. Maybe auditors focused in the system that are SOx critical; I mean if your applications are in Unix and good passwords are defined, it would not be a great isuue if your windows password policy is not as good.



  • This looks like a deficiency to me.
    Be aware that IT related deficiencies such as this are one of the leading reported SOX deficiencies.



  • Hi,
    The Journal of Accountancy published an article, ‘Section 404 Compliance in the Annual Report’ in October 2004. The article addresses in detail, the considerations for asssessing control deficiencies and reporting requirements.
    If the control deficiency in connection with security administration and password management is serious and constitutes a weakness that can be characterized as a material weakness, the control deficiency will likely require disclosure reporting.
    Additionally, you might consider performing a search online to identify previously reported control deficiencies by other companies. It is likely that this control deficiency was considered to be significant and previously disclosed.
    As always, auditor judgment is necessary and you should consider the compensating controls, overall IT control environment, and other factors in your decision.
    Hope this further helps,
    Milan


Log in to reply