SOX compliant password??? 2648



  • I have a user who does not want to change her passowrd to a more complex one (She happens to be the controller) She is asking me to prove to her what a sox complaint password it. So that is my question.
    What is REQUIRED for sox compliant password?



  • The Sarbanes-Oxley Act and the regulations of the US Securities and Exchange Commission that implement it deal with assuring the accuracy and reliability of disclosures to investors. There are no IT specific provisions in it. So what you are looking for does not exist.
    What are your overall security controls around passwords?

    1. What is the minimum length for passwords?
    2. After how many invalid login attempts is the user-ID blocked for further login attempts and what is the process to unblock it?
    3. How often do passwords need to be changed?
    4. Does the system enforce that there also must be other symbols than characters in the password?
    5. Is there an automatic list of forbidden passwords.
      If point two is a low number and if the process to unblock the passwords is effective, then an unauthorized persons does not have many attempts to ‘guess’ her password anyhow. The most important issue is that she knows that it should not be a password that somebody could easily guess or find out about her (e.g. name of family member, name of pet, etc.) and guess on the first three tries.


  • A sox compliant password does not exist. The act does not lay down any such requirment at all.
    You may consider the components that gmerkl suggested.
    Other approach may be to try and explain the controller what the risks surrounding a weak password are. Other option is to enforce password rules and not leave any option for the controller.
    Rules like

    1. PW to be alphanumeric
    2. PW to have minimum of 1 special character
    3. PW to have minimum of one Upper case character
    4. PW to be changed every XX number of days
    5. Set the system to remember X number of previous passwords so that they are not repeated
    6. Password length to be minimum of 8 characters
    7. Password and username not be same
    8. Specify a list of generic passwords that cannot be used.
      above is just an inclusive list .
      cheers


  • Hi and welcome to the forums 🙂
    Both posts above offer great recommendations. SOX 404 is silent of the ‘how to’ aspects of compliance when it comes to passwords. This is to allow a wide variety of companies with differing technologies flexibility in meeting requirements. Given major corporate data breaches around the world, complex passwords are a minimum in today’s environment for every point of access .
    However, SOX 404 requires compensating controls for IT security risks. Weak passwords could lead to unauthorized users gaining access to sensitive customer or financial information. Hackers or Crackers may use tools to discover weak ones. (e.g., common passwords found in a hacker’s dictionary). There is even some malware attacks that can automatically open up access if the password is too weak.
    There’s even an MS08-067 based virus call Conflicker.B that can gain access without human intervention if it is able to login automatically with a weak password (some info on this threat noted below)
    http-and-#58;//msmvps.com/blogs/harrywaldron/archive/2009/01/20/ms08-067-conficker-mitigation-resources-from-microsoft.aspx
    As internal compliance for SOX 404 is assesed by external SOX auditors, this type of finding would be presented to management . While this audit critique may not jeapordize whether SOX requirements were satisfactory for the year, it’s a chance most firms would not want to take.
    Secondly, the Comptroller is among THE MOST IMPORTANT financial officers in the company . They most likely have some of the most sensitive levels of access and highest levels of financial autonomy in the company. This job role needs to ‘think security’. I’m not saying that to critique this specific case, as I also despise passwords myself. It’s very important to ensure the good controls suggested by the two gentlemen above are implemented for every IT system possible.
    Password complexity should be on by default in the Windows and other applicable environments. Below is one resource that will allow potential passwords to be tested for complexity:
    http://www.microsoft.com/protect/yourself/password/checker.mspx
    I’d suggest working with the external SOX auditor if you have questions of how to they expect complex passwords to be met. Having dozens of passwords, I empathize with the need to have to deal with password management. Writing down the password somewhere and hiding it well might help, as most individuals are resitant because don’t want to lose access.
    Finally after over a decade in the IT security field, 2-factor security authentication is an even more secure route to go, (as even complex passwords can be eventually cracked by some of the tools out there over time). RSA’s ‘Secure-ID’ or similar token based security devices are expensive, tough to administer, and can even be a hassle for users (esp. if they misplace their token). However they offer much improved security and the user avoids having to constantly remember their passwords.



  • Some additional ideas … COBIT is used by many external SAS auditors to provide guidelines for controlling automated financial systems. This resource may be helpful to research IT needs:
    Free COBIT 4.x PDF copy by registering with ISACA
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920
    Microsoft’s complex password guidelines
    http://www.microsoft.com/protect/yourself/password/create.mspx



  • One additional way to approach this is that if a company policy exists regarding password length, complexity, etc., the controller needs to be in compliance. Noncompliance would be a control deficiency.
    The best way to ensure compliance is through system controls that require a certain password length/complexity.


Log in to reply