Login failure review - criteria 2709

  • New to SOX and we are implementing controls around login failures and the review of them. At this point our threshholds are 10 or more failures in a 30 minute period. This is proving to be a challenging threshhold as it results in 100’s of accounts to review (per week).
    Looking for guidance around how to frame the criteria for this weekly review. We have AD policy in place that after 5 attempts within 15 minutes results in a account lock out for 30 mins.
    If you’ve put in place, or have an established review of login failures in place, I look forward to hearing how you’ve implemented and perform it.
    thanks in advance.

  • Hi Jeff - As SOX 404 is silent on specifics, it encourages firms in a flexible manner to ensure their IT financial systems are properly secured and controlled (using a self assessment approach that is later evaluated by SOX external auditors).
    Certainly, logging and actively monitoring IT security events is important for ITGC and SOX 404 compliancy. Some ideas for this include:
    – Sometimes Intrusion Detection Software (IDS) or security suites (e.g., KSA, Bindview, etc) can provide reporting capabilities
    – If you can’t actively review all items, you might randomly sample a certain number (e.g., 25 per week instead of 100).
    – Sometimes the SOX External auditor can share guidance on what they feel would be acceptable
    – The COBIT 4 standards are often what external SOX auditors use to evaluate IT controls for financial systems and a free copy can be obtained in these links:
    Free COBIT 4.x PDF copy by registering with ISACA

  • Does the password protected system house an application that is material for the organization’s consolidated financial statements (i.e. is at least reviewed as a basis for manual or automated inputs in financial accounting)?
    If yes, doesn’t your system allow the blocking of user-IDs with three (or more) CONSECUTIVELY invalid attempts (i.e. wrong) password (i.e. there is no login with the correct password in between and the time period of the logins is irrelevant). This is a very effective preventive control even if passwords are rather weak in length and composition. If in addition, the person in charge of unblocking user-accounts is required to contact and verify the identity of the user and ask whether it was really him that entered invalid password on day X at time Y, then you have strong controls and know if anybody is trying to obtain unauthorized access.
    If this blocking policy is no option, consider only reviewing invalid login attempts for user-IDs with more powerful access rights and/or only a sample of invalid login attempts.

  • Hello.
    Now a days all of us are facing diffrent types of cyber crimes. Many of us may have encontered the prolem of bank account theft. Cyber criminal hack our bank account no. and password and transfer money to their accouts or take all of our money through ATM. They are so much efficient that they have sent an mail to Obama describing his accont no. and password. This had made him to think seriously about cyber crime.

  • Yes, security violations of this nature are numerous and very serious as well. While somewhat outside the scope of SOX itself, this is still an area of risk to both companies and individuals.
    Companies have a fudiciary responsibility to safeguard their customer accounts and information (e.g., PCI/DSS standards). Depending on the type of business and nature of credit card usage, there may be even some SOX related controls established (depending on whether material risks are deemed present)
    Likewise individuals have a role in their own personal protection (e.g., to avoid malware traps and infections, avoid phishing scams, safeguard their personal/account info, etc). As one of my formal classes taught:
    SECURITY = SEC-U-R-IT-Y (‘You are it’ – and play a vital role)
    In the dozen or so years I’ve evaluated this issue – I see it more on the bank’s side to improve. It’s much too easy to obtain and use credit cards by phone or web these days – and tough to genuinely prove the person the other side of that remote transaction, is who they say they are.

Log in to reply