SOX Password Management Guidelines 1277



  • I would like to know if there are any specific SOX IT guidelines to manage Internet passwords and login procedures. I am currently writing up a project plan so that the pasword management process in several business to consumer sites comply with SOX IT guidelines. Customers do perform online transactions in these Internet sites, and they can save sensistive information such as Credit Card information in their online accounts. I am particularly interested in the SOX IT guidelines for the following:

    1. Password encryption (specific algorithm(s) need to be used for encryption, and do passwords need to have a specific format).
    2. Random password generation (specific algorithm and format required?)
    3. Forgotten Passwords process (i.e: customer forgets password and the customer can provide certain data so that either the existing or temporary password is sent to him/her by email).
    4. Requirements to log into a customer account (is User Name and Password enough, or is additional validation (such as entering text from an image in an input box as required by this website?)
      I heards that there are some Federal Guidelines for Internet Passwords, but I am not sure about them.


  • SOX does not provide suggested password management practices and security guidelines. To my knowledge, I believe the CobiT Framework also does not provide specifics in this area. Possibly, the reasoning is due to the variability in people, process, systems and the sensitivity of information.
    Your question addressed password management issues, particularly, in connection to the storage of credit card information. I think you will likely more than be compliant with SOX requirements if you simply comply with the PCI standards:
    Visa’s Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection (SDP) program have been aligned into the Payment Card Industry (PCI) Data Security Standard, which outlines best practices for securing credit card data that is stored, processed or transmitted.
    Merchants and service providers who store, transmit, or process credit card transactions must comply with this standard. Failure to comply can result in fines, restrictions being imposed by the card brand, or the merchant or service provider can be prohibited from accepting the card. Beyond compliance, true business risks relative to brand, customer loyalty and company valuation exist if the payment data is not securely managed.
    More information and specific requirements can be found online at:
    usa.visa.com/business/merchants/cisp_index.html.
    Additionally, you might perform an online search using the terms ‘CISP’ or ‘PCI’ and there are considerable online resources that may be useful.
    Regards,
    milan



  • Hi - I found a number of articles in Google for the search argument of ‘SOX password compliancy’.
    As Milan notes the SOX guidelines are more generalized, so that a wide range of computing platforms can be supported. Certainly, you want to assure that the application and associated data are protected from unauthorized access. There are many ‘Best Practices in Password Protection’ (another Google search), and the following ideas come to mind:

    • Strong passwords (that would not be found in hackers dictionary)
    • Use of password auditing tools to measure password strength
    • Password change and rotation controls (e.g., every 90 days)
    • Password lockout controls (so that bad guys can’t break in)
    • Procedures for terminating access promptly when needed
    • Minimalized access (giving folks just what they need and no more)
    • PIN #'s or other secondary controls used by Help Desk for resets
    • Special protections for Administrator or privileged user accounts

Log in to reply