SOX for test instances 232



  • As part of Sox compliance we are implementing password aging and expiry in our production database. Is it necessary to do this for our test instances which is a monthly copy of the production and which is used for testing only. We have a number of test userids which are used by multiple developers. Do we need to expire the test userids. This would mean managing the passwords for a number of test userids. Looks like a bit of a hassle which can be avoided.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • If the passwords are used in a test environment, on test data, then perhaps group passwords are acceptable. If you are accessing live data, then I would require individual passwords.
    My opinion
    -Dan.



  • I do not totally agree with djinks.
    Say you did some developement work on your financial applications. You need to test the new module before it is passed through to the production system. But you also want to know who tested it technically and signd for it.
    The last instance would be the User Acceptance Test. But that wouldn’t detect any malicious code, like backdoors.
    Therefore you need to have seperate userid’s also in the testing environment.



  • Yes, I see your point.


Log in to reply