Is password expiration really mandatory? 2751

  • Hi,
    found another thread on this issue without complete answers.
    I searched section 404 without finding a statement that password expiration is mandatory.
    Is it mandatory according to SOX? What period is required by SOX?

  • I doubt that you have attentively read other posts dealing with passwords or user access rights on this forum. I have answered at least one of those posts. It is annoying to have to repeat the same basic things over and over again if people do not search the existing threads first.
    Section 404 of the Sarbanes-Oxley Act requires an issuer’s management to assess the effectiveness of the issuer’s internal control over financial reporting and the issuer’s registered public accountant to audit the effectiveness of internal control over financial reporting. The objective is to assure the accuracy and the reliability of financial reporting. The law and the regulations does not mention IT.
    Does the system have anything to to do with accounting or financial reporting so that unauthorized access could results in fraud or errors of a magnitude that would be material in relation to the consolidated financial statements? What about the other compensating controls around passwords (minimum length, content, number of invalid login attempts after which the user-ID is blocked and any procedure for unblocking blocked user-IDs, etc.). Having passwords expire after some time is simply a good practice for IT security.

  • gmerkl - if we didn’t have the repeat questions, the posts in this forum would decline by at least 25%

  • gmerkl,
    IMHO you are being unfriendly; I don’t consider this an appropriate behavior here (or elsewhere)
    Is it me or did you not give an answer to my question; or can I count this as a NO (password expiry is not regulated in section 404)?

    Having passwords expire after some time is simply a good practice for IT security.
    Not everybody’s opinion.

  • SOX does not Mandate passwords to expire.
    But why is it required? Using the same password for an extended period gives the naughty minds an extended period for guessing passwords and exploiting privileges. Now, not all user profiles are critical, but few are extremely critical…
    Given an option, not many people will change the password(and due to laziness use similar, same or weak passwords). This is the reason why password security policies are Enforced and not left to users option to select or deselect.
    Hope this answers your question.

  • Unfriendly or not you have asked a question that could have been answered by using the search functionality on this forum. Sometimes you have to accept that this will irritate people who give their time and professional advice free of charge. gmerkl is one of our top posters on this site.
    There are two good discussions on this subject (found by a keyword search on ‘password expiry’) here:

  • Josef,
    I was not being unfriendly, I was simply annoyed and doubted that you had attentively read other posts dealing with passwords or user access rights on this forum. As Denis, has showed you, a search of this forum retrieves at least two posts that deal with passwords and there are a few more who deal with user access rights. Maybe you can enlighten us whether you performed a search for existing posts on the same subject and why you did not find any threads. You should keep in mind that despite being annoyed, I took the time to answer your question in a considerable amount of detail.
    In my post, I have explained that Sarbanes-Oxley section 404 only deals with financial reporting. I have stated that ‘The law and the regulations does not mention IT.’ Password expiration is an IT topic. As a consequence, the Sarbanes-Oxley Act does not contain a requirement to have passwords expire after a certain time. So I answered your question.
    OK, in your opinion mandatory password expiration being a good practice in IT security is not everybody’s opion. I think that you will have hard time to find any IT auditor or IT security professional who thinks that mandatory password expiration is not a good practice in IT security. I used to be a Certified Information Systems Auditor and have audited the password security of the operation system, database and application layer at various subsidiaries. I do not think that I found a single system that did not enforce the change of passwords.

  • Hi Josef – YES - For financial systems there’s material RISK as I view it in having a permanent non-expiring password … This will also be something that’s on the checklist by SOX auditors as well, and they will most likely document concerns to Sr. Mgt. if passwords are not routinely changed for Financial applications.
    SOX 404 are nebulus regulatory principles and not specifics – this is because IT controls will vary widely from company to company. COBIT 4 however discusses IT controls in depth and can be viewed as a more detailed implementation of SOX 404 (as a model that many SOX auditors follow).
    Please use this link to obtain a copy of COBIT 4.x which has 00’s of pages of guidelines and best practices many auditors look for in addressing SOX requirements for automated IT Financial systems.
    COBIT 4.x - Free after registration

  • P.S. I greatly respect the knowledge of gmerkl, Denis, kymike, NC, and others who are truly experts here. Please keep in mind that Sarbanes-Oxley is written at a very high level and in a way that is flexible for a wide range of companies, IT systems, and workflow requirements.
    There are no absolutes on some of these issues. SOX is a risk assessment exercise, rather than a template of ‘do’s’ and ‘dont’s’. This is why some companies can go to extremes in one area and miss something in another area. For example, I’ve seen one company go out of their way with highly inefficient procedures, because they felt they couldn’t rely on electronic timestamps – and they had to have a paper copy to back it up.
    I can even see possible exceptions for non-expiring passwords even (e.g., maybe an internal use only web app that’s not critical and highly public?). But to me, it would be the exception, and I would err on the side of rotating passwords where possible. That’s why I replied YES in my answer above - you want to keep this at a minimum as it’s not a best security practice (and if audit was convinced it were a material risk, it could lead to comments shared with Sr Mgt)
    RECOMMENDATION: I’ve always recommended that folks check with their SOX Auditors as well for advice, as your mileage can vary on what is truly a material risk or not. They are the ones that are either going to pass or fail these types of situations to senior managment.

Log in to reply