Database Security for Applications 221



  • I am under the impression that SOX mandates the changing of passwords to databases on a scheduled/periodic basic. This is fine for users since they can be prompted to change their passwords. My questions is what are the rules for [batch] applications. To change every program every X days seems to be a maintenance and change management nightmare.
    Any comments?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • SOX certainly does not require this. Good IT controls might. Think about what the control is designed to prevent from happening or ensure happens (limit acces to authorized users). If access to the batch applications is controlled through LAN access that requires password changes, then you should have adequate coverage without requiring changes to the batch aplication passwords. If access to the batch applications is not through a controlled front end, then you may have some security risk that would require a mitigating control.



  • It is wise to have your batch passowrds changed periodically and we are certainly implementing it at our organisation. This of course can cause major issues for legacy apps that have no real easy password change capability within the application itself.
    As time goes by batch passwords tend to become known by parties who really dont need to know them. This provides a potential entry point to a system.
    Tie down the abilities of the batch Id and change the password on a regular basis. Also create auditing reports that monitors the use of the batch Id. Your audit report should be able to pick out those logins that were not done as part of the standard batch runs.
    Hope this helps
    😄


Log in to reply