SOX and Email Encryption? 1618



  • Hi everyone,
    I’ve browsed enough to see that ya’ll know your stuff, but also that SOX has a few gray-areas. Here’s the one currently on the top of my list:
    My company has a 3rd-party vendor we use for web-based applications for our clients. As such, we often email their company with new logins for new clients of ours, so the new client can have access to the web-based systems. A question has arrisen about the need to encrypt those username/passwords while in-transit to and from our 3rd-party vendor. So first, is that a SOX issue, and second, what would your recommendations for sending/receiving information like that be?
    Thanks in advance.



  • Hi,
    As a general rule, do not encrypt the information that you don’t mind sharing with the internet community.
    To your first question, it might be a SOX issue if the ability to access web-based systems allows the user to make changes to information contained in or reported in the financial statements.
    Certainly, one could assert that inadequate security over confidential sign-on information directly impacts data security. Information security is considered one of the key domains in the CobiT Framework. Thus, security of username/password information could be considered relevant for SOX purposes.
    Milan



  • Hi and welcome 🙂 I agree with Milan’s comments on the need for better protection of the sign-on information.
    Yes, EMAIL encryption can provide one possible solution. One easy-to-implement idea might be to use password protected Word, ZIP, or other attachments to transmit this information rather than using clear text. I’d use strong passwords and rotate to a new password maybe every 90 to 120 days. You can also explore more advanced options like PGP based encrypted email as well.



  • Is it just me, or… ?
    Sending usernames and passwords like that sounds abit old fashioned. It’s like when your credit card company sends you the pin code via ‘snail’ mail.
    Talk to your 3rd-party vendor, get a HTTPs website or a SSH connection, setup, and avoid the entire thing.
    The place where emails are most likely to be stolen is in the inbox or on the printer anyways, not during transfer.
    And Harry, Word / zip-passwords are not safe.



  • And Harry, Word / zip-passwords are not safe.
    Irqui shares some good points on this 🙂 … While the ‘quick and dirty’ approach of password protecting attachments is better than clear text – you should do this right the 1st time. Encrypting these special email messages with strong security is probably your best solution, if email is the preferred technique for exchanging this confidential information (e.g., use at least 256 bit encryption techniques or higher). Irqui’s idea of setting up a secure server webpage (HTTPS) to convey this information can provide a good alternative to email and it’s less likely to get lost.



  • Thanks for the responses, I figured you guys would know. 😎
    And after a little more research (go google go.) , Word/Adobe passwords seem easily bypassed. From what I’ve read, the 256-AES on Winzip can be cracked, but not most attacks seem to stem from having access to either the recipient or sender’s data. And once an attacker has a rootkit… zoiks. Then HTTPS wouldn’t help either… lol.
    Anyway, thanks for the help, and as long as I remember, I’ll let ya know what method we settle on.



  • Hi NG … With a few email accounts (e.g., GMAIL, Yahoo, and your corporate account), you might be able to emulate a test environment. You could then try PGP or Blowfish email encryption techniques to get a reasonable level of security.
    No matter what you use, there might be a way for the bad guys to get in. With email, you can get fairly sophisticated with digital certifications, public/private keys, etc. – so you want to balance good security with ease-of-use on both ends 🙂
    I still think HTTPS is a very good solution 🙂 Root kits should be rare in the business environment. Usually, in a corporate setting anti-virus software should prevent or detect these on client PCs. If there is a root kit somewhere on your network, you got more problems than just email.
    Actually, what you’ve shared originally is very common in a lot of password situations. For example, if you loose your password in Yahoo, GMAIL, or most phpBB forums, you’ll get one mailed back to you unencrypted 😉 Good luck and let us know 😎
    Add www to links below
    google.com/search?hl=en-and-q=email encryption techniques
    google.com/search?hl=en-and-q=pgp email encryption
    pgp.com/
    google.com/search?hl=en-and-q=blowfish email encryption
    topshareware.com/guide/hot/blowfish.htm



  • When communicating a password to a user internally via Outlook should the email be encrypted? Should it contain both the server name and password? Are there any hard and fast rules on this?



  • Yes - Password resets by the Help Desk should be controlled in terms of confidentially. Usually, the Help Desk should register users and include PIN plus ‘secret questions’ for remote password resets. These emails should use encryption (usually built into many email systems and sensitive messages should set to use this)


Log in to reply