Password History - Has anyone taken/issued a deficiency? 939

  • Has anyone taken or given a deficiency if an application cannot retain password history?
    Peoplesoft HR version 8.8 does not retain password history. We think it is associated to the Peopletools. Our corporate policy identifies those applications that are exceptions to the policy due to system limitations - Unix is one of them.
    Our internal SOX team states that we will take a deficiency if our PSHR cannot retail passwords.
    Does this seem valid to anyone?

  • Is your control that you keep password history?
    Or is the control that you can’t reuse previous password within a specific time frame?
    Our policy states that you can’t reuse passwords within a year. Also, passwords must be changed every 90 days. These are some of the controls.
    The way that some technologies enforce these settings/parameters is to keep a password history and keep track of the last time the password was changed. Our test scripts look for a password history as the mechanism to ensure the passwords are not reused frequently.
    We are now in the process of adjusting the policy to clarify the enforcement. Technology will be used to enforce the policy to the degree possible and then each user enforces any gaps manually until the technology catches up.
    Our unix platform keeps the previous password only. Also it doesn’t have a setting for exactly changing the password every 90 days. This is set to 84 days to force a password change. The gap of ensuring the same password is not being used over again with a year’s time frame has to be the responsibility of each individual user until technology catches up or there add-on software to enforce this rule. For us, this is an exception with an explanation.
    For the Microsoft platform there is additional software that can enforce all your requirements for strong passwords. Haven’t seen that yet for unix but I hear it is coming.
    I’d suggest talking to Oracle/Peoplesoft about their up coming plans on capturing password history. They may have plans to address this in a patch or perhaps one is already available. also see whether other customers have had this challenge through user groups and other forums
    External auditors can be reasonable if everything is documented properly and it shows you have done your homework. In the short-term management may decide to accept the risk until technology catches up.

  • Has anyone taken or given a deficiency if an application cannot retain password history?

    I have seen this as a deficiency. However this is a deficiency in IT General Controls rather than as a business process deficiency. I would expect this deficiency - or departure from ‘best’ practice - to be evaluated along with other control objectives for this environment to determine whether this general controls for the application as a whole are effective or ineffective.
    A deficiency like this - on its own - I would not expect to be a cuase for concern.

Log in to reply