Password expiration - Non user IDs 2905

  • Quick help… I see that in Unix the default password setting can be overidden. I have raised an issue where some of the IDs passwords were changed somewhere 8 years back. For obvious reasons they did not want to enforce password change every 90 days. Now per control thiss would be a failure but I get a push back saying that at default level its set at 90 days so this control cant be deficient. Morover i see that is password if known, one can SU into that account which has root equilalent privilages, Any thoughts on how to deal with this on SOX’s perpective.

  • Hi Kirna - While user accounts must be changed 60-90 days, often there is difficulty in changing System Account IDs that frequently. However, these are the most IMPORTANT ACCOUNTS to protect and passwords should be changed on at least an annual basis or when ADMINS leave the company
    One approach is to leave these passwords as permanent (no automatic expiration) but to diary an annual change date each year and manually change them. This way ADMINS can revise them and the associated jobs so that PROD outages do not occur. As part of the SOX process, this necessary change could be checked for assurrances it was completed.

Log in to reply