Is this a breach 2940

  • At my previous employers people shared passwords to the accounting software.
    Is this a breach? If so how can I report it?

  • It is only a breach of your internal controls if there is a no-share policy (which there should be). There is nothing to report externally on this other than possibly to your external auditor.

  • If the company is subject to the provisions Sarbanes-Oxley Act, then they would most certainly have one or more controls documented and in place around user access to critical financial applications. This password sharing would then be a failure in at least one of those control activities. That should be self reported to the SOX compliance team at the company. They would likely assess it as a deficiency and require a remediation plan and then test at a later date to clear the deficiency.
    If they don’t have a documented control around this because they aren’t subject to SOX, then it just sounds more like a bad business practice on their part.

  • I agree with both responses above … To me, it’s indeed a weakness in SOX and General IT security controls.
    Password sharing is discouraged by COBIT 4 standards and most IT Control Audits as well (esp. if user ‘B’ is allowed to login as user ‘A’). That destroys accountability, autonomy controls, and checks-and-balances – of which are classical audit controls.
    As some packages may require a special password to invoke system capabilities in addition to user level controls. And even that type of sharing of passwords must come from IT security rather than each other.
    While most professionals are honest and would not take advantage of this type of issue within a workgroup, it’s still a weakness in controls that increases risk and possible misuse. Unless there was a clear misuse of this to create fraudulent transactions, there may not be a need to report this as an actual ‘breach’
    However, if you know the current SOX coordinator there, it’s certainly worth passing on the need to strengthen current practices.

Log in to reply